FileVault 2 and Policy Scope

New Contributor II

We are about to make a major push into encrypting our Macs with FileVault 2, starting with 10.8.x devices and moving down to 10.7. I've followed the whitepaper on Administering FileVault 2 on Mountain Lion and have it working OK in the lab, but I did notice that if a user reboots his/her Mac and does *not* enter in their password (using Current or Next User setting) to begin the FileVault process, that the machine simply reboots. FileVault 2 encryption never beings, and because the policy set to run only "once per computer", it never runs again.

I am wondering if there's away around this. Specifically, how can I configure the policy to reapply itself on machines that are not encrypting or that are not encrypted? Is setting the Execution Frequency to "Ongoing" the proper course of action? Is there anyway to remove / hide the "Cancel" button when the user is prompted to encrypt?



Release Candidate Programs Tester


You may want to set up a smart group for machines that are not encrypted, scope your policy to that smart group, then set the Execution Frequency to be Ongoing.

Unfortunately, there's no way I know of to hide that Cancel button. The behavior you're seeing is a FileVault 2 failsafe, to make sure that you don't wind up with an encrypted laptop that nobody can log into.

New Contributor II

Thanks for the reply! It sounds like I'm on the right track then. I had already setup the following smart group, hoping to catch only machines not yet fully encrypted.

FileVault 2 Status is not All Partitions Encrypted


Operating System like 10.8


Legendary Contributor III

You can't do anything to adjust the message that pops up at logout. That's controlled by the OS, not from your Casper Suite policy.
But you could build a Smart Group for any Macs that are not encrypted and running OS X 10.8.x and apply that to the Scope of the encryption policy, then set it to Ongoing. Once a Mac is encrypted it will fall out of the scope and not get the message again.

One note on this though, I discovered recently that the way Casper Suite captures the Filevault 2 status can lead to false positives or false negatives.

Basically, although in the details of a computer record you can see that a Mac is in the stage of encrypting, with a percentage complete, there is no way to build a Smart Group on that status. You can only tell if its completely encrypted or not encrypted, or only some volumes encrypted. Why we can't use items like the actual status that shows up in the Details view as part of a Smart Group criteria I have no idea, but essentially it means that for a period of up to a day some of our Macs show that they are "encrypting" at xx % complete, when in fact they are long done. This means they stay in the Not Encrypted group and keep getting our message pop up to log out, until their Mac submits new inventory status. I suppose we could find some way to get them to inventory sooner, but I came up with another method to help with this.
I built an Extension Attribute that basically uses 'diskutil cs list' to locate the corestorage volume and pull info from it. It reports back either "Not Encrypted" "Encrypted" "Encrypting" or "Decrypting" based on what it finds. If it happens to run on a 10.6 Mac it reports back "N/A"
Using that, we can build a group for any Mac reporting back "Not Encrypted" and use that as the scope for the policy.

Release Candidate Programs Tester

Can I check what is the difference in using extension attribute method compared to just use the scoping method to check on whether the FileVault is enabled ???

New Contributor II

Thanks to both of you for your help! It looks like it's working as expected in our labs -mike