Not really a zero touch but no key shown to end-users.
I got clarification from JAMF on this.
The reason that we see the key with the Configuration Profile is because the profile is essentially just going into System Preferences and checking the box to enable FileVault, which when this is done by the end user will show us the encryption key. Now with a policy, we are calling the fdesetup command and passing in parameters to encrypt the machine and send the key to the JSS.
Because of the difference in how the policy calls FileVault versus how the Configuration Profile calls FileVault, this is why we see the key with the Configuration Profile and not with the policy.
Basically if we want users not to be able to see a recovery key, we have to use a policy based approach. However this brings another issue.
Because FV2 cannot encrypt a network user, we have to convert them to mobile user using configuration profile. During enrollment, both - the mobile user configuration and the encryption policy are being applied. Because a mobile conversion requires a restart before being applied, the encryption policy fails (user is still under Network at this time). Unless I set the encryption policy to be ongoing and not once per user per computer, I would have to flush logs in order to reapply.
Is there an approach that can apply policies only after certain parameters are met?
e.g. only apply this policy once a managed configuration X has been successfully applied.
This can probably be scripted but I wanted to see if this function is already baked into JSS.
