FileVault 2 and users activating deferred enablement

Neil_Kitt
New Contributor III

I apologize if this has already been discussed. I have searched through the discussions and haven't really found anything similar to the issue that I am trying to resolve/prevent. I know in the long run, removing admin permissions for end users will prevent this from happening but we as an organization are not there just yet.

My organization is in the healthcare industry and we are required to follow HIPAA regulations as well as policies implemented by our InfoSec department. It is my job to enforce those regulations and policies. For the most part all of our Macs do have FileVault enabled and they are encrypted. However, we have a few resistant end users that have a little to much knowledge of the Mac OS and have turned on deferred enablement which is preventing Jamf from enforcing encryption. I am wondering;

  1. Is there a way to have a policy to deactivate the deferred enablement if a user does go into terminal and enables it?

  2. Other than removing admin rights, is there a way to prevent a user from re-enabling it after it is disabled and encryption begins?

Any ideas would be greatly appreciated.

6 REPLIES 6

sshort
Valued Contributor

If you're using a configuration profile, that would enforce FileVault activation and prevent the disk from being decrypted (this assumes you are preventing your users in Jamf from removing config profiles). You could also disable deferred enrollment with a profile as well. I'm not sure if you're just using a policy to activate FV right now.

Aside from Jamf's interface, you can use something like ProfileCreator to get very granular with the specific settings you need. This screenshot shows a profile that would explicitly deny deferred enrollments. You might want to consider involving managers/HR if there are hardcore stragglers that don't want disk encryption on their Macs.

cc27e0d9a8de43268f7f8742509185c7

Neil_Kitt
New Contributor III

I definitely agree on the Manager/HR. For some reason my management wants to engineer around the easier solution. The previous admin over Jamf and jumpstart setup the FileVault encryption off of a script so it is not actually enabled in the configuration profile. I haven't tested yet the effect of enabling that option with the script that is currently enforcing it.

"You could also disable deferred enrollment with a profile as well." I've been looking for this option but I haven't found it yet. Can you tell me where that may be in the options? I would assume under Security & Privacy > FileVault but I"m not seeing the option.

sshort
Valued Contributor

Huh, yeah I don't see it in Jamf either... my org doesn't have an issue with people always deferring, so we don't have that enforced in a profile. But you can definitely set that preference with ProfileCreator.

It's ok to have multiple profiles that control FileVault, the most restrictive setting will win out. So if you use the built-in Jamf profile to enforce FileVault being on, and then upload a custom FV profile made in ProfileCreator (which enforces FileVault and prevents deferment) then both profiles will complement each other without conflict.

gachowski
Valued Contributor II

So Apple's/Google's definition of defer and the rest of the world is different... you need to read the fine print in fdesetup

The real question is how to prevent users from not "enabling" FileVault... the only Apple supported way I could find is with the Jamf built in tool that used fdesetup not profiles... and it has to be set to "next log in" if the user dosen't enable it on the log in the machine will reboot over and over until it's enabled..

That said when Apple moved to the PDF doc of the Configuration Profile Reference I am a 100% sure they added a clear definition for "DeferForceAtUserLoginMaxBypassAttempts" that was not there before ... and it's not clear but I think with a little work you might be able to make a profile that uses -1 and few other setting to prevent log out or log out with from not "enabling" FileVault.. I have not done this yet but it's on my list of things to do as I am guessing sometime fdesetup might be going away...and profiles will be our only option.

"DeferForceAtUserLoginMaxBypassAttempts"
Integer When using the Defer option you can optionally set this key to
the maximum number of times the user can bypass enabling
FileVault before it will require that it be enabled before the user
can log in. If set to 0, it will always prompt to enable FileVault
until it is enabled, though it will allow you to bypass enabling it.
Setting this key to –1 will disable this feature.
Availability: Available in macOS 10.10 and later

https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

C

Neil_Kitt
New Contributor III

Thank you all for the help on this. I've tested the additional profile on my test mac and it did over ride the deferred and forced the encryption at the next login as well as is preventing the user from going back into the terminal to turn FileVault off.

mlitton
New Contributor II

Neil .... did you do everything with just Profile Creator (turn on FV, escrow key, etc) or did you make two?
If you made two, what settings did you use in Profile Creator to get users to not defer?