I've decided, since 10.12.3 that it's time to upgrade my environment.
Part of this would mean allowing users to self-service install 10.12.3.
I've run into the problem of Filevault 2 Performance Authenticated Restart not working because my management account is not a user allowed to unlock the drive.
I have a casper management account on every computer (non-FV2 enabled)
I have a local admin account on every computer (FV2 enabled)
So it got me wondering, what if the local admin account that is FV2 enabled becomes my management account also?
This would solve the problem of my authenticate reboots failing. Does anyone see any problems with my logic?
I strongly believe that your Casper management account should be separate from any other account, with a password that is randomly rotated regularly. Best practice from a security standpoint.
That said, I thought authenticated restarts simply required the JSS to have a valid recovery key escrowed and didn't have an account requirement. The fdesetup authrestart command can take a recovery key or password.
Edit: Yep, just tested it, I was able to do an auth restart through JSS policy without the management account being FV-enabled.