FileVault 2 and Deferred Enablement

nick_pettis
New Contributor

I'm trying to solve the puzzle of "deferred enablement" in deploying an individual key configuration to 10.8 machines via self service.

Seems that if a user does anything but immediately log out after the 10.8 encryption policy is run from self service, the machine goes into deferred enablement. I verified this using the following command:

sudo fdesetup status

For example, when they see the logout message, most users try to be good citizens and close applications/windows. This is seems to defeat the rest of the process and no amount of restarting will nudge the machine out of this state. As far as I can tell, the policy needs to be run again and once it completes, the user must immediately log out. If he/she closes open applications and windows, we'll be stuck in the loop again. The question is:

Once a machine reaches a state of deferred enablement, how do we close the deal?

In my experience, logouts and restarts do not help if the user doesn't complete the process in the proper sequence without adding any of his/her own steps. Do I have to depend on the user to run the policy again...and correctly.

First post and new to Casper. Thanks for any help!

26 REPLIES 26

rtrouton
Release Candidate Programs Tester

For your disk encryption policy, do you have it set for Management Account or Current or Next User?

If you have it set for Management Account, it will turn on FileVault 2 encryption and set the Casper management account to show up at the FileVault 2 pre-boot login screen.

If you have it set for Current or Next User, it will turn on FileVault 2 encryption and use the currently logged-in user account (or use the next account to log in, if nobody is logged in at the time). On logout, the user will be prompted to enter their account password. Once entered, FileVault 2 will be enabled. Once the enabling process is complete, the Mac will restart and the user account will show up at the FileVault 2 pre-boot login screen.

It's important that the user log out once the policy is run, not restart. If the user restarts, they will not be given the opportunity to enter their password and FileVault 2 will not enable at that point. Instead, the process will wait for the next time that the selected user logs out.

If you want more information about this, I gave a talk at the 2012 JAMF National User Conference about FileVault 2 and how Casper manages FileVault 2 encryption.

The video of the talk is available here:

http://derflounder.wordpress.com/2012/11/30/managing-filevault-2-on-os-x-mountain-lion-with-the-casp...

My slides are available from here:

http://derflounder.wordpress.com/2012/10/23/slides-from-the-filevault-2-session-at-jamf-nation-user-...

nick_pettis
New Contributor

Thank you for your detailed response, rtrouton.

The policy is set for Current or Next User. It should also be noted that we are using an individual key.

I understand that the user must log out after the policy is run. In your experience, does it matter if they close applications or save documents before they log out? Or does it ultimately just matter that he or she logs out in the end.

Also can you shed any light on "deferred enablement"? As I understand it, the next time the user logs out, they should be asked to authenticate and enable FileVault. But this is not happening.

I have several users who are in a state of deferred enablement (according to the results of 'sudo fdesetup status') but neither logging out nor restarting triggers FileVault to enable. So they are stuck.

Please let me know if you have any ideas. I have a case open with Apple on this topic as it seems to be more about the behavior of the binary than anything to do with Casper.

Thanks for the links. I actually attended your talk at the JNUC before we had purchased Casper and have also watched the video!

rtrouton
Release Candidate Programs Tester

For the users who are having problems, are they on Macs with Fusion drives? If they are, there's a known issue with Apple's fdesetup tool in 10.8.2 / 10.8.3 (which Casper uses for its FileVault 2 management) not being able to run a deferred enablement of FileVault 2 on a Fusion drive.

nick_pettis
New Contributor

Thanks for the tip, rtrouton. Unfortunately, we don't have any Macs with fusion drives.

The issue has occurred on both spinning platter drives in MB Pros as well as SSD's in MB Airs.

I do have a case open with Apple and will post any new findings.

CasperSally
Valued Contributor II

I'm seeing something a little different, on logout, user isn't always getting the message "to enable filevault enter the password." I'm testing FileVault with Mountain Lion (10.8.2).

Login Policy runs, policy shows status
/usr/sbin/jamf is version 8.64
Executing Policy Enable FileVault...
FileVault is Off.
FileVault master keychain appears to be installed.
Deferred enablement appears to be active for user 'admin'.

sudo fdesetup status shows virtually the same text FileVault is Off.
FileVault master keychain appears to be installed.
Deferred enablement appears to be active for user 'admin'.

If I flush the policy history for that computer, and login as admin and back out, the policy runs again and, at least so far in my testing, the user is then prompted at logout to enter their password.

If I reimage the same computer and run through the same steps, it usually does prompt the user on initial logout but not always.

Anyone else seen this, or any tips? I will get a ticket in with Apple as well, it seems like more their issue than JAMFs.

MORPHO
New Contributor

Hi CasperSally

Have you found a solution to your problem?

I am having exactly the same problem on a macbook air, yet my policy works correctly it is applied to a hundred Mac

Cordially

CasperSally
Valued Contributor II

Nope. My techs have to call me when it happens and I flush the policy and then it runs again and works the 2nd time. JAMF/Apple kind of gave me the run around on the issue.

blinvisible
Contributor

Same issue with our setup. Inconsistent behavior overall, doesn't seem to matter if user performs a logout or a reboot. Seems more likely to succeed if logout/reboot occurs the first time the policy runs, but again, not consistent. Also hard to tell if it's a Casper problem for a FileVault 2 problem.

gachowski
Valued Contributor II

Just to add a data point for everyone.

We call the policy FV in our set up script that runs after the user logs in the 1st time. At the end of this script the machines reboot, using sudo shutdown. You would think that this would trigger the "message "to enable filevault enter the password" and it doesn't. There is a "bug" and the only way I could get the message "to enable filevault enter the password" pop up was to trigger the reboot/log out from the GUI. So I created a script that does this and put that in the user templet on the desktop. The onsite team has to run the script, when they set up the machine.

osascript -e 'tell application "/System/Library/CoreServices/System Events.app" to restart'

They have not reported back that they are not seeing the "password" pop up and we have very few machines that are not getting encrypted. My non encrypted machine % is significantly less than my onsite error %, so I think they are onsite guys rushing or the users are decrypting. Also I tested this a million time and always saw the "password" pop and was able to encrypt the machines. Ok not a million times, but it was a lot.

My guess is that it's an Apple issue. I have an open feature request that we be able to automate the FV process with out any user interaction, hopefully it will get in X.9.

C

mm2270
Legendary Contributor III

We've seen the same thing. As far as I can tell, sudo shutdown does something different than the normal OS shutdown, as in, its more abrupt and so it doesn't trigger the enable FileVault pop up screen. We've also tried killing the loginwindow process, but that also doesn't work. Only a GUI initiated shutdown, restart or log out will make it appear.
So we had to do something similar here where we initiate a log out using Applescript calls instead of a pure unix shutdown function.

That said, I'm not certain I would classify this as a bug. Apple may have designed ti that way to prevent odd situations where the login window crashes or is killed and the user gets prompted to enable FileVault. I'm just guessing there. I have no inside knowledge of how they designed it to work.

blinvisible
Contributor

Our issue seems to persist even if it's a user-initiated logout or restart. CasperSally's trick of flushing the policy log did finally result in the FileVault password prompt appearing for our test users, but I've no clear evidence that the action and the result are actually related, or if the policy log flush does something else or has some side effect that ultimately fixes the problem, or if it's just a red herring altogether.

blinvisible
Contributor

Gah, still having this issue pop up sporadically. I've seen it on iMacs on MacBook Pros running 10.8.5 with no other CoreStorage volumes present (no Fusion Drives or anything else), occurring both when the logged in user performs a GUI-initated logout or restart, and persists when the policy from the history log for a specific machine is flushed. We have inconsistent results when flushing the policy itself. I've yet to discover what the common thread could be that causes this issue. So frustrating.

tkimpton
Valued Contributor II

im having issue with this even on 10.9 and JSS 9.2. Has anyone managed to get this working at all? :(

tkimpton
Valued Contributor II

3 days of testing and troubleshooting to find defect D-005978

Hopefully this will happen soon!

https://jamfnation.jamfsoftware.com/featureRequest.html?id=1699

blinvisible
Contributor

We have not gotten this working. I thought I'd fixed it by having clients delete the file_vault_2_id.xml file in /Library/Application Support/JAMF, but while that did get the deferred enablement encryption prompt to appear, it prevented the encryption key from getting uploaded to the JSS, which for us is a Very Bad Thing so we don't do that anymore. Haven't had any luck with any other solutions.

Good to know it's now a documented defect, I guess. Been a while since the last JSS update so hopefully that means we can expect lots of bug fixes and feature request implementations. =)

clifhirtle
Contributor II

JSS 8.7.3. OS X 10.9.1. Deferred enabling has been working fairly good for us, after I accepted that users are only prompted when logout or restart are triggered from the actual UI versus Terminal. In consideration of this, I run a policy setup as follows:

  • Triggered by: custom trigger set to fire off every day @ X hour
  • Frequency: Ongoing
  • Scope: "Needs Filevault": smart group based on FV2 Status = "No Partitions Encrypted"
  • Disk Encryption: enables for institutional+individual key
  • Script: runs after policy. Reminds user they need a one-time logout, with option to cancel or Encrypt. On Encrypt, prompt user with standard UI logout prompt.

Most all our users are laptops and off network so I run this policy as an offline policy with pre-run FV check (courtesy @mm2270][/url). This offers ability to both regularly remind folks of need to enable Encryption, trigger anywhere they are, and immediately disable once they've fully encrypted their machines. Here's the script for any that would like to use:

#!/bin/sh

#### Casper Encryption Reminder Dialog (Utility Style)
#### C. Hirtle with code/contributions from mm2270 
### Offline Discussion: https://jamfnation.jamfsoftware.com/discussion.html?id=9251 

#### Read in the parameters
mountPoint=$1
computerName=$2
username=$3

#### SET VARIABLES

title="Enable Encryption"
trigger="Enable-Encryption"
icon="/System/Library/PreferencePanes/Security.prefPane/Contents/Resources/FileVault.icns"
button1="Encrypt"                 # "string" Creates button with label (default button)
button2="Cancel"              # "string" Creates button with label
dButton="1"                       # Sets default button to button1. Responds to "return"
cButton="2"
windowType="utility"          # [hud | utility | fs]
user=`ls -l /dev/console | cut -d " " -f 4`
FV2Stat=$( fdesetup status | grep "On" )
description="Encryption has been activated on your Mac, but requires a one time log out and password confirmation to enable. You may log out now or later, but this reminder will continue to appear daily until your Mac is encrypted.

You may continue to use your Mac as normal while encrypting. 

Click Encrypt to log out + confirm password now. Cancel to postpone until next log out."

### BEGIN SCRIPT

if [[ "$FV2Stat" == "FileVault is On." ]]; then

    #### Script to trigger dialog with above variables
    response=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType "$windowType" -windowPosition "$windowPosition" -title "$title" -description "$description" -icon "$icon" -button1 "$button1" -button2 "$button2" -defaultButton "$dButton" -cancelButton "$cButton" -windowType "$windowType"`

    echo "response is $response"

    #### If user responds with default button run trigger policy
    if [ "$response" == "0" ]; then
        #### Logout the current user
        sudo -u $user osascript -e 'tell application "System Events" to log out'
        exit 0
    else    
        exit 1      # User chose to postpone
    fi
else
    exit 0  
fi

tkimpton
Valued Contributor II

workaround to the defect from support

Modify the 'WAIT_FOR_RECOVERY_KEY' in the 'file_vault_2_id.xml' file to be 'false': /Library/Application Support/JAMF/file_vault_2_id.xml <key>WAIT_FOR_RECOVERY_KEY</key> <false/> OR Create the following file and submit inventory: /Library/Application Support/JAMF/file_vault_2_recovery_key.xml: <key>RecoveryKey</key> <string/>

tkimpton
Valued Contributor II

Hopefully save you guys quite a bit of time!

workaround doesn't work now in jss 9.23 and is supposed to have moved to

/private/var/run/jamf/file_vault_2_id.xml

if you try to create it now in /Library/Application Support/JAMF it automatically deletes itself!

defect D-005978 still exists :(

mm2270
Legendary Contributor III

Thanks for the tip on the new location. I was about to email my TAM on that since I saw in the release notes for 9.23 that they changed the location for the xml file. I have a custom process I've been working on for a while that helps with enforcing FileVault enablement for new systems/users and part of the script detects the xml file on disk so it can do the recon necessary to capture that into the DB, Gonna need to update my script for the new location once we move over to 9.

tkimpton
Valued Contributor II

@mm2270 no problem hope it works for you

tkimpton
Valued Contributor II

still having problems with this and can't get anything working in jss 9.23 :(

jeremygould
New Contributor

Anyone have any updates on this? We are also seeing the deferred enablement issue with users NOT getting a prompt at logoff or shutdown to enable FileVault.

tkimpton
Valued Contributor II

i would raise a support call with JAMF. I went through a lot of troubleshooting and my case is still open.

I had noticed on my test vm that it was showing up multiple times in my jss and could have been a reason as to why it wasn't working.

tkimpton
Valued Contributor II

No updates, support are having problems recreating the problem with a machine showing up multiple times in my jss and say all is working as expected.

Anyone that has problems with this really need to log a support case and point to this thread.

Thanks

jdshub
New Contributor

Hi Guys,

I wanted to give you a short update on what we have done...maybe this works for you also:

1) Running Policy in Smart Group if user is NOT encrypted
2) User can click "OK" --> SelfService, User can click "Later" --> Encryption postponed

If user decides to do the encryption:

3) Policy running, Restart immediately configured, sets variable "deferred" in a .plist file
4) After restart policy checks .plist file for "deferred"...if "deferred" the script will trigger another policy
5) Last policy shows a Window to remind the user to logoff...but he can cancel the process by clicking "Later"

Works like a charm...If you need further details on that, please feel free to contact me.

WM_Kedwards
New Contributor

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/