Help

File Vaulting

ism
New Contributor II

Posted on ‎07-23-2017 11:05 AM

Hello there,

We have configured File Vault 2 as a policy and scoped it to users, and we have noticed that Turn off file vault option is available for them. We have created a configuration profile and which does the job and disable the option of disabling File Vault.

Question is, which one to use? if we decided to go with Configuration Profile what time the policy is going to trigger? and should we get rid of the file vault policy? Please suggest. e138619086b84df894c1b9c5f9149366

0 Kudos
4 REPLIES 4

ism
New Contributor II

Posted on ‎07-23-2017 11:06 AM

896cc42fb54c4e2eb2ea2f8c7238aeab

0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎07-23-2017 08:03 PM

@ism Use a Configuration Profile to enforce the setting if you want to ensure your users can't turn off FV2. Configuration Profiles are executed as soon as the client machines get a notifications via APNS, so if they're awake and on the network it's almost immediate. If you use a Configuration Profile to set FV2 you do not need a separate Policy for it.

0 Kudos

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎07-24-2017 04:01 AM

We're using configuration profiles for FV as well. We used policies a few years ago, but switched to config profiles as soon as they were available.

0 Kudos

gachowski
Valued Contributor II

Posted on ‎07-24-2017 10:41 AM

So more info.

  1. I still think even with the "blocking" configuration profile, the user can still disable it from the CLI.
  2. Last I checked there is no way to set the enable profile to enable on log in, in my testing any other enable trigger the user can "cancel" and then still user the computer. If the policy is configured enable profile to enable on log in and the user "cancels " it the machines just reboot to the log in window again and the same FV2 enable window.
  3. There is a new profile for High Sierra so changes are coming with APFS

C

0 Kudos