File Vault 2: No Longer Enabling on Catalina

Heavy_D
Contributor III

We currently have a configuration profile that enables the FV2 & Redirects the Key back to JAMF servers.

However now while testing with Catalina among all the is officially broken the FV2 seems to be in a loop. When I restart the machine I get the typical "To add this user to FileVault, enter the password for $jamfuser" following adding the PW it proceeds with this new message now instead of producing a KEY like normal.

"Enabling FileVault on your volume.
The Initial set-up may take a few minutes. The FileVault recovery key will be displayed when FileVault is ready. This may show up after this user logs out."

It then loops everytime I restart the machine never really Enabling FV2.

Anyone else encountering this as well?

UPDATE: More on this issue here: Catalina - FileVault Enablement

16 REPLIES 16

jordy_witteman
New Contributor III

@JarvisUno Yes we had the same issue starting with macOS 10.15, seems to be broken when enabling FV at logout. Have a look at this topic: https://www.jamf.com/jamf-nation/discussions/33538/catalina-filevault-enablement

Heavy_D
Contributor III

@jordy.witteman So is the only solution right now is to Enable it upon login instead of log out?

Is this something that JAMF or Apple needs to fix?

jordy_witteman
New Contributor III

@JarvisUno I believe Apple needs to fix it because I created a custom FV config profile (signed) only with the required keys and could reproduce easily. The easiest fix seems to use a policy 'At next login' combined with a config profile to require FV and to escrow the recovery key.

Heavy_D
Contributor III

@jordy.witteman This would be that custom script you posted on your thread correct?

jordy_witteman
New Contributor III

@JarvisUno Yes if you only want to use a config profile without any policies that one should work if you paste that in the PayloadContent of the mobileconfig file. For now I use the following successfully without having to use the custom config profile:
Config Profile --> Security & Privacy: Require FileVault 2 + Escrow Recovery Key
Policy with Disk Encryption: At Next Login

beeboo
Contributor

@jordy.witteman

i have that setup too except no "require filevault 2"
its set to current or next user

however, it just loops and loops and by random chance it would do the encryption.

no idea why.

manual intervention allows it though.

Heavy_D
Contributor III

@jcheLC I just started to notice this as well, this was working fine up until a couple of days ago and it just so happens that I wiped my test machine and am seeing this now. I have wiped it x3 times since then and FV2 has only enabled x1 of those times.

beeboo
Contributor

@JarvisUno do you have a workaround or whats your worklflow now?

it randomly enables for us for us, not sure why, its like after 4-5 reboots/retries.

i can do it manually, but that defeats the purposed of automation :(

Heavy_D
Contributor III

@jcheLC I do not I have started to discover what I can do as of right now I do not have a game plan. Zero Touch for Mac's is a "Lie"

AdamCraig
Contributor III

there are other threads about this: https://www.jamf.com/jamf-nation/discussions/33538/title#responseChild195408 but basically the Filevault doesn't enable at logout, but it works at login. My quick solution was to set up this policy and scoped to Catalina computers. there is an extra reboot involved in our provisioning process but it works.
446aedd8486546dea4e40e86e7bba65d

peaudunk
New Contributor III

The closest I've got to "Zero Touch" on Jamf Pro 10.13.1 is using MDS (no ardunio, so a few touches to get to recovery, launch terminal, run command), which auto logs in a temp local admin and uses preloaded jamfhelper to prompt to trigger enrollment using the profiles binary (3 clicks).

After enrollment reboot the user first run script manually prompts for user (Mobile Admin) password using jamfhelper/osascript
Use sysadminctl to grant a secure token to user (necessary in 10.15, not 10.14 in my testing)
Use fdesetup to enable FV (Catalina requires user clicking accept to allowing fdesetup, on the to-do list to fix)
Use sysadminctl to disable secure token for temp admin
Use "diskutil apfs updatePreboot /" to remove temp admin from FV login screen
Delete temp admin

Was sort of surprised it worked with Catalina. Interested to test out bootstrap tokens in Jamf Pro 10.18.

Heavy_D
Contributor III

@strayer That is current policy I have setup it was working just fine it's now looping and I restart it multiple times but it never turns on FV2.

13d668dadb704f0e88233db59d16a1c2

5868106b62cf488780f64af353dda0a3

caf08be9953c43b0928c3fadb88f4dcd

ed068ccfbe9940e79dbfb98c2de9627c

It's very frustrating because I thought I was passed this issue already and well here I am again.

beeboo
Contributor

same as you @JarvisUno

literally same setup with next login, only thing i notice that we have different vs everyone else so far is that they . have "require fv2" checked in your second to last picture.

no zero touch here, what i do is manually go in and enable FV.
good thing is, at least it knows where the JAMF server is and shoots the key there vs originally asking for iCloud....which was very unnerving.

Heavy_D
Contributor III

Still stuck with this garbage @peaudunk Can you post the actual commands you are using on a manual basis as I am going to have to do the same thing till there is a better solution out there.

peaudunk
New Contributor III

@JarvisUno This is the FV section of my user Mobile Account first run script for 10.15.3.

It starts with an Erase+Install package that sets up ladmin to autologin and trigger DEP enrollment via Jamf Helper, which binds the machine+misc, never enabling FV for ladmin, but it has a secure token.

Config Profile escrows key, once FV is enabled and inventory update, CP gets updated to require FV.

Hopefully getting to test bootstrap in the next couple months.

#!/bin/sh
##variables
#logged in user
USER=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

#jamf helper location
JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
FIRSTMSG="Welcome to Mac@Company!\n\nYou will now be asked to input you password to encrypt the system with FileVault."
FIRSTMSGFORMATTED=$( echo $FIRSTMSG )
MSG="FileVault has been successfully configured.\n\nPress OK to continue setup.\n\nWhen the Self Service app loads the user interactive portion of enrollment is complete."
FINALMSG=$( echo "$MSG" )

#FileVault Status
FVSTATUS="$(/usr/bin/fdesetup status)"

#FileVault Status Check
if [ "$FVSTATUS" != "FileVault is On." ]; then

#branded jamfhelper window to inform end user about FileVault process
"$JAMFHELPER" -windowType utility -title "Mac@Comapny" -description "$FIRSTMSGFORMATTED" -button1 "Okay" -icon /path/to/brandingimage.png

#get passwords
PASSWORD="$(/usr/bin/osascript -e 'Tell current application to display dialog "Please enter your  password:" default answer "" with title "FileVault Setup" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
PASSCHECK=`dscl /Local/Default authonly $USER $PASSWORD; echo $?`

#autheticate password
while [[ "$PASSCHECK" != "0" ]]; do
echo "asking again"
PASSWORD2="$(/usr/bin/osascript -e 'Tell current application to display dialog "Incorrect password, please try again:" default answer "" with title "FileVault Setup" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
PASSWORD=$PASSWORD2
PASSCHECK=`dscl /Local/Default authonly $USER $PASSWORD2; echo $?`
done

#grant secure token
sysadminctl -adminUser ladmin -adminPassword ladminpw -secureTokenOn $USER -password "${PASSWORD}"

#enable FileVault
/usr/bin/fdesetup enable -inputplist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Username</key>
    <string>$USER</string>
    <key>Password</key>
    <string>$PASSWORD</string>
</dict>
</plist>
EOF

#branded jamfhelper window to inform end user about process completion
"$JAMFHELPER" -windowType utility -title "FileVault Setup Complete" -description "$FINALMSG" -button1 "OK" -icon /path/to/brandingimage.png

#remove secure token from ladmin
sysadminctl -secureTokenOff ladmin -password ladminpw -adminUser $USER -adminPassword "${PASSWORD}"

#remove ladmin from filevault login screen
diskutil apfs updatePreboot /

fi

Heavy_D
Contributor III

@peaudunk This looks interesting I am kind of a visual learner mind sharing your workflow and how you have it all setup so I can test this on my end?

But I like what I see here.