FileVault 2 Enable issue Catalina 10.15.5

brandon_-_autob
New Contributor III

Greetings,

I have been having issues enabling filevault on my jamf devices.

I have a configuration profile configured as the following (pictures Jamf 1 and Jamf 2 attached)

I also have a policy that enforces the filevault enablement "at next login" as ive read that this would possibly help my issue as posted here (https://www.jamf.com/jamf-nation/discussions/34794/setup-filevault-on-catalina) (pictures Jamf 3 and Jamf 4 attached)

What happens is the policy and config profile get applied. I log in as the standard user, let jamf run through the rest of the policies, and log out. Upon loggin back in, im prompted to enable filevault. After i click OK it tried to enable but just quickly loads the progress bar and shoots me to the desktop. Filevault doesnt get enabled..

If any more information is needed i can provide it. Just looking for any possible pointers on this matter. a8fdcb9db7374547abd453ab6fbd406d

454b0fe6b7804124a380184e610f151f

3ceb01d93cc04e479e7460dfe5cbae82

7a6b0cca43eb416b96d1304e7d6c2cac

8 REPLIES 8

brandon_-_autob
New Contributor III

For anyone who stumbles upon this. I ended up creating a script that is ran from self service that enables securetokenon for the signed in user. upon logging out they are able to enable filevault. OSX Catalina.

igal_tovievich
New Contributor II

Hey Brandon!
We're currently looking for a similar solution to the issue you had. Could you explain/post what script was used in conjuction with the scripts/configuration profiles?
Granting the security token should solve a familiar problem, ours mostly created for users post migration.

Igal Tovievich
IT Manager

bmcdade
Contributor

Interested in the solution as well. Seems that out previous FV enable method which worked fine till 10.15.x no longer works, so we have machines deploying without FV enabled.

brandon_-_autob
New Contributor III

So i created a bash script that is available to users in our "Self Service." When the script is executed it asks the user for their current password and passes it into a command to essentially grant the user securetokenon, so that they are able to encrypt the drive on logout (how we have it set). I will say that i was facing this issue due to how we provision the local admin account. Since the local admin account is the first account created, they are granted the securetokenon. So the script uses the local admin creds to grant the non admin user account the access. Hopefully that makes sense. I can provide any more information needed! Here to help!

jhuls
Contributor III

[~brandon - autobooks] Any chance you could share that script? I'm in the process of learning about FileVault so something like that would be beneficial to see how people are deploying it. I've only tested with a configuration profile deployment(with success) on Catalina thus far. We also deploy systems with a local admin account being created during the prestage and then we have users with AD accounts logging as mobile accounts. I've yet to work through the details to see if that's the direction I should go or if a script and policy makes more sense.

bivers
New Contributor

Hey Brandon,

This Script would be very helpful, as many of us like Igal and I also are having the same issue as well.

Thanks,
Brendan

brandon_-_autob
New Contributor III

The script i created is located here - https://github.com/brnwn4/SecureTokenEnable/blob/master/SecureToken1.sh

I hide the admin credentials in the script and rather define them as parameters in JAMF!

Let me know if you have any questions... This was seriously a huge pain for me.

In return all i ask is to pick your brain on a different topic. How do you guys go about resetting password? We use JAMF in hand with Azure AD and we dont have the most ideal workflow right now when a user on an apple device forgets their password, also requires us to physically be at the machine.

vcasiero
New Contributor II

Hey Brandon,

Where in your process flow does the script get run?

Is it in your 201.1 Filevault policy and just set to run "before" the rest of the stuff via Self Serve?

Thx,

Vince