Posted on 03-07-2017 05:17 PM
I'm in the process of rolling out FileVault 2 Encryption via a Self Service policy that utilizes individual keys that are stored in the JSS. We have a couple employees that have created a 2nd partition on their macs which is creating a problem for me as our policy only encrypts the boot partition. I'd like to allow these users to continue using their machines as is but have both partitions encrypted.
I'd also like to have the personal keys for each partition stored in the JSS but it appears that the JSS has a limit of storing 1 personal key per machine? If that's the case I'd need to set the same personal key for both partitions which doesn't seem to be possible with fdesetup's "changerecovery" command as it automatically generates a personal key. Additionally having both partitions with the same personal key just doesn't sound like a good idea. Has anyone encountered a situation like this and come up with a workable solution?
The only other option that I can think of is to have these employees decrypt their machines, remove the 2nd partition, then re-encrypt with one partition. While this would be 100 times easier for me it would be a headache for those users.