Jamf Nation Community

It appears that deferred "at login" mode works for local accounts, but does not trigger at login for Active Directory accounts. This must be an OS defect.

An OS defect around Active Directory accounts?? Inconceivable! Can't be, when has Apple ever done that!?

</sarcasm>

Bumping this in case anyone has gotten it to work with AD/mobile accounts, I am surprised this isn't being talked about much. It's very nearly a showstopper issue for us if we can't force FV to be enabled.

This certainly seems like an OS X bug. I wouldn't be surprised if this doesn't work correctly until 10.11.1 is released.

Has anyone tried this with the latest developer/beta builds of 10.11.1? I'm in no hurry to test it out myself.

I have, and it is still not working on the latest beta.

I just submitted a bug with Apple as well as opened a case with JAMF.

Sorry I missed this .....

Yes it's an Apple bug... it stopped working on the 2nd to last El Capitan beta... I filled with Apple day one of GMC beta...not fixed in X.11.1 either...(yet)

C

Jamf has a defect # too : )

We're kind of seeing this here with El Cap. The user gets the prompts as they're exiting: logging out, shutting down, shutting down to restart. But they are not getting the forced enrollment at login like they do in Yosemite.

The Disk Encryption Configuration shows up in the inventory, but the institutional key is not present, the individual key is unknown, and the state is unencrypted (as expected).

Tested to most recent developer preview.

@Shaffer

Yep deferred next log in doesn't work and deferred next log out only half works : )

If you have a Apple support please open a ticket so we can drive the number of effected machines up, so it get fixed faster : )

C

Edit: how do I delete a post?

Just opened a ticket with Apple, so I'm on the bandwagon :)

Thanks @Shaffer !!!

C

I also have opened a support ticket with Apple.

Sorry about the vague response but... Anyone else have a developer account? Anyone else feeling better about this after yesterday?

I am feeling better about this now, yes.

: ) me too.. still have a few thing to keep testing : )

re: Schaffer Anyone else feeling better about this after yesterday?

What occurred on 10/27 that might have made anyone feel better about this problem? I don't see any updates from Apple on that day.

I am still running into this problem and would like to get clued in as to what might help fix it.

X.11.2 public beta

Thanks, I will have to try it...

Not sure if you guys are aware or not, but I figured I'd let you all know, JAMF has a RADAR open with apple about this issue.

RADAR #22839220

Apple said this in response to my request of the info for that RADAR.

The radar you provided is regarding FileVault 2 deferred enablement does not work on LDAP users, the users did not receive any prompts. 'fdesetup status' will report that FileVault is in "deferred enablement" but logging in will not trigger the FV2 credentials prompt.

Regards,
TJ

Just ran into this issue as well. Glad to see I'm not the only one suffering :P

This does appear to be resolved in the latest 10.11.2 beta. It has been triggering successfully in all my tests.

Great! I hope that the general release is a week or two away.

What setting do you have selected in the Disk Encryption section of your policy? There's another thread, but this all does work if you have "at next logout" selected. Just to be clear, this is separate from the policy trigger. In our testing with Apple and JAMF, only "recurring check-in" and "custom" triggers work to trigger our FileVault policy.

This has been working for us the entire time since El Capitan was released (and before, to be honest.) However, it took us an embarrassingly long time to figure out that simply toggling that setting in the Disk Encryption section was the fix.

Also, we had to add an additional inventory collection policy to occur at next boot so that all of the fields would populate in the JSS. For our purposes, we did this as an additional policy so that it'd only apply to a subset of our Macs and not cause too many Recons. It appears that adding inventory collection to the policy itself when it's configured this way causes inventory collection to get interrupted so the keys, etc. don't get uploaded until the next inventory collection interval. And, depending on your environment, if that next Recon waits too long, they key info actually disappears and can't be uploaded. The other thread isn't sure how long that window is, however.

Deferred next log in doesn't work, and it's the only way of setting FV2 that I know of that they user can't override/skip.

When the deferred is set to next log in, after the user logs in they get a popup and if the user select continue instead of ok the machine will reboot automatically back to the same window. Also set to next log in the user doesn't get the popup of the recovery key. Making it impossible for the user a disable FV2 or use the mac not encrypted, from what I can tell. Allow us to deploy Macs with very very limited staff interaction, or zero touch.

With it set to next log out, the user can just select continue and the Mac will not be encrypted and if they do select ok the will see the FV2 key.

C

Yeah, but that's a workflow question in this case more so than a technical one. In our case, our provisioners won't hand a Mac to a user until FV is enabled, so that workflow works for us.

But, my point is that it works at all. "At next login" definitely does not currently work in El Capitan at all. So, if you have a FV requirement now, "at next logout" will work though you may need to adjust your workflow.

I did find that thread previously and changed it to 'At next logout'. The prompt does pop up with the password request but I get "There was a problem enabling FileVault on your computer. You should use System Preferences Security & Privacy to view or change FileVault". Don't know why this is happening. Will have to look in the logs.

Getting ManagedClient[xxxx]: MCX.doCmdLogout: setupFileVaultFDE enable returned 11 which is an authentication error. Strange...Oh well, at least I'm getting prompted now.

(Disregard.)

@Vitamin-Z Hmmm, that error I haven't seen before. A few questions that pop into mind are... Are your users admins? What is the trigger for the policy itself? JSS 9.81 right? Is the policy scoped to all users?

I don't know if some of those questions are relevant or not, but they're the first variables that come to mind.

@bmarks Yes, my users are admins. The trigger is 'Recurring Check-in'. We are on 9.81. Currently as a test, my Mac is the only one.

10.11.2 is out - downloading now to make sure this build maintains our happiness :)

Seems back to normal. AD ... I just can't quit you no matter how many hints Apple gives. :)