Filevault 2 deployment

jamesdurler
Contributor

Hi everyone,

I've been tasked with deploying FV2 to around 800 MacBooks. The majority of these are existing estate, and there are different use cases per machine. Some are many users to one laptop, others are simply one user to one laptop.

I've been looking at the best way to do this deployment and have come up with numerous different methods. I'd like to know how you guys are doing it.

Deployment as the management account does not seem to feasible as if the person triggers this in self service then restarts their mac they will be locked out of their machine if they do not have the recovery key. I was looking at forcing the one time 'no file vault login window at startup' option through fdesetup and then using an ongoing script at login to test if the user is a file vault 2 enabled user - if not prompt the user with a password entry box , which can then populate a plist to import this user as an enabled user. I have this part of the process working , but the only caveat is the command that allows you to bypass the file vault password screen at login is a one time deal, and I also believe it isn't compatible on all hardware?

The issue we have is 1) how the deployment is done - is it pushed/self served or a bit of both - i have a feeling it will be both

2) who does the deployment - the issue with this is, if a user does the deployment themselves through self service, they are the enabled user. At this point I cannot use my script to add existing users as enabled users as it will require me to know their username and password.

I spoke to JAMF support and was told that if i was using a combination of individual & institutional key with or without the management account , the JSS should handle the addition of any new local or mobile account to enabled users. I am 100% not seeing this at the moment. My drive is fully encrypted and if I login with new mobile accounts they are not added into fdesetup list.

The only way I can automate the addition of users to this list is by using the scripted login method.

I'm interested to hear peoples thoughts. Thanks :D

9 REPLIES 9

rtrouton
Release Candidate Programs Tester

I gave a session on FileVault 2 and Casper at JNUC 2013, where I discussed how Casper's FileVault 2 management works. The video is linked here if you're interested:

“Understand FileVault 2 and Manage Disk Encryption with the Casper Suite” session video from JNUC 20...

Casper uses Apple's fdesetup tool for its FileVault 2 management, so it helps to understand the capabilities of fdesetup when looking at Casper's FileVault 2 management. I have posts on using fdesetup for both Mavericks and Yosemite available from the links below:

Managing Yosemite’s FileVault 2 with fdesetup

Managing Mavericks’ FileVault 2 with fdesetup

I'd also recommend checking out Casper's FileVault 2 management documentation:

http://www.jamfsoftware.com/resources/administering-filevault-2-with-the-casper-suite/

jamesdurler
Contributor

Hi Rich,

I've read both guides and also read the JAMF documentation on it. I'll check out the video though.

Im thinking of deploying with via self service as the management account initially enabled. Then an authenticated restart command to by pass the FV2 login window. At this point the user can then log back in, receive a password prompt box , populate a temporary plist and import with fdesetup.

I then may add the local admin account as an enabled user, and remove the management account. I'm thinking of removing the management account as I don't want this username displayed at the FV2 login screen on startup. I don't really like the idea of users knowing the username for the casper management account.

jamesdurler
Contributor

I think maybe accounts aren't being automatically enabled is because I am testing on a Mavericks machine rather than Yosemite.

rtrouton
Release Candidate Programs Tester

Mobile accounts won't be enabled automatically by the OS. Once the Mac is encrypted, new local accounts created through System Preferences are automatically enabled for FileVault 2 by the OS.

jamesdurler
Contributor

Really? I spoke directly with JAMF and they told me if I used the management account in the encryption then new local accounts or new mobile accounts would be automatically enabled.

Makes sense though as this is not working with mobile accounts in my testing.

donparfet
Contributor

I have set up FV2 distribution using both individual/institution key option and set to enable FV2 at logoff with the option to cancel if one is not yet ready (Enabled FileVault 2 User set to "Current or Next User"). This allows us to push to the machine but the user can decide exactly when to pull the trigger and begin the encryption process. This does only enable one user to use the machine. (My scenario is a bit more simple than yours it seems)

jamesdurler
Contributor

Require FileVault 2
Require users to enable FileVault 2 based on one of the following events.
Logon/Logout/2 logins

Im a bit unclear what this option means - is this referring to the adding of new users to the list of enabled file vault 2 users?

I didn't realise you the user could cancel out of it - what I am seeing is when the policy is delivered successfully it seems to flag the machine to be ready for encryption. Then on the next logout the file vault 2 password box for the user prompts which begins the encryption process.

rtrouton
Release Candidate Programs Tester

For the "Logon/Logout/2 logins" part, assuming this is on a Yosemite system, this is leveraging fdesetup's deferred enablement options. I have a post explaining how deferred enablement works on Yosemite available from here:

FileVault 2 deferred enablement in Yosemite

jamesdurler
Contributor

Thanks @rtrouton