- Jamf Nation Community
- Products
- Jamf Pro
- File Vault 2 deferred enablement
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
File Vault 2 deferred enablement
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-31-2021 11:33 PM
Dear all,
I'm having a lot of trouble with some machines with File Vault 2 config profile and policy applied to enforce the enablement, however for like 5-6 machines for a total of about 30, File Vault 2 results disabled and the policy log says
"FileVault is Off.
Deferred enablement appears to be active for user ' '. "
Checked a couple links here but no one didn't ever found a solution as I can see. Jamf Cloud instance is almost new and I'm enrolling machines for the first time, not AD bound.
Labels:
- Labels:
-
FileVault 2
Reply
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2021 02:23 AM
Check that the users of the Macs in question have a secure token.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2021 02:43 AM
@mschroder how can I check that? Note that most of the machines have been reset and bigsur reinstalled, and the user account is the one created in the setup assistant. I don't get why there would be a miss of secure token
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2021 02:52 AM
rtrouton has a nice summary on https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2021 11:28 AM
Did you log in as the use created by setup assistant? I believe this is the one that recieves the inital secure token and will trigger FV.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-05-2021 12:38 PM
We run into this in our environment far too often... and when we provision these user accounts we verify that the user account is ENABLED; then something happens between that point and actually activating FileVault. @mschroder 's link above is a nice reference... but here's the quick and dirty commands you'll need to use to resolve this:
sysadminctl -secureTokenStatus USERNAMEIf the user shows as unknown, you may have a network account that needs to be converted to a Mobile account... that's beyond the scope of this answer! If it just shows as DISABLED; in terminal login your administrator account and run the following command - note the separate hyphens (scroll all the way to the right!) after the password switches so that you can enter the passwords interactively without being seen; YOU WILL NEED TO KNOW THE USER'S PASSWORD!
sysadminctl -secureTokenOn USERNAME -password - -adminUser ADMINNAME -adminPassword -Hopefully it will report successful; if you get an about "secure unlock" you maybe need to run the command from an instance of a user who has Secure Token enabled already (e.g. the first user on the Mac in most circumstances, who can then transfer it to other users.)
Reply
