Jamf Nation Community

ssuttle · ‎09-07-2018

I have a question about File Vault 2. The way my predecessor (who is no longer reachable) configured Jamf and our Onboarding process, a policy was created to Enable File Vault 2 – Once per computer (which makes sense so far) but he lost me creating the scope. We manually add each new (Specific) computer to the scope during our setup. I would like to make the policy's scope more Admin friendly and change it to All Computers. The question is – If I go into the policy and change the scope, which has already been applied to all computers on an individual basis to this point, will that screw things up and attempt to re-apply the policy, or re-run File Vault 2 encryption, on all computers within our environment?

mm2270 · ‎09-07-2018

Once per computer means exactly that. It won't run again, normally speaking, on any machines previously in scope that it already ran on. UNLESS, you flush the entire policy log, or individual policy log entries, in which case it would try to run on those Macs again. Essentially, as long as the Jamf Pro server has a log entry in the policy that it ran, or even attempted to run on a Mac, it won't try it again on that machine unless you intervene in some way.

However, it would probably make more sense to use a Smart Group to look for Macs that don't have FileVault enabled and the machine encrypted, so it will only run on those Macs. If you set things up correctly, you could even have it enabled for a once per day or once per week frequency.
The thing is, with the new Macs + chips + OS, it gets a little more complicated to set up a proper Smart Group, because my understanding is the new machines arrive in a state that looks like FileVault is already enabled when it's really not. So you might have to do some research on how to properly set up the group to avoid missing machines that really need FV2 enabled. I can't help there because I've yet to get one in my hands to see how they are set up. I'm only going by things I've read on this forum.

View solution in original post

mm2270 · ‎09-07-2018

Once per computer means exactly that. It won't run again, normally speaking, on any machines previously in scope that it already ran on. UNLESS, you flush the entire policy log, or individual policy log entries, in which case it would try to run on those Macs again. Essentially, as long as the Jamf Pro server has a log entry in the policy that it ran, or even attempted to run on a Mac, it won't try it again on that machine unless you intervene in some way.

However, it would probably make more sense to use a Smart Group to look for Macs that don't have FileVault enabled and the machine encrypted, so it will only run on those Macs. If you set things up correctly, you could even have it enabled for a once per day or once per week frequency.
The thing is, with the new Macs + chips + OS, it gets a little more complicated to set up a proper Smart Group, because my understanding is the new machines arrive in a state that looks like FileVault is already enabled when it's really not. So you might have to do some research on how to properly set up the group to avoid missing machines that really need FV2 enabled. I can't help there because I've yet to get one in my hands to see how they are set up. I'm only going by things I've read on this forum.

ssuttle · ‎09-07-2018

Thank you @mm2270 .