I have been having issues enabling filevault on my jamf devices.
I have a configuration profile configured as the following (pictures Jamf 1 and Jamf 2 attached)
I also have a policy that enforces the filevault enablement "at next login" as ive read that this would possibly help my issue as posted here (https://www.jamf.com/jamf-nation/discussions/34794/setup-filevault-on-catalina) (pictures Jamf 3 and Jamf 4 attached)
What happens is the policy and config profile get applied. I log in as the standard user, let jamf run through the rest of the policies, and log out. Upon loggin back in, im prompted to enable filevault. After i click OK it tried to enable but just quickly loads the progress bar and shoots me to the desktop. Filevault doesnt get enabled..
If any more information is needed i can provide it. Just looking for any possible pointers on this matter.
We're currently looking for a similar solution to the issue you had. Could you explain/post what script was used in conjuction with the scripts/configuration profiles?
Granting the security token should solve a familiar problem, ours mostly created for users post migration.
So i created a bash script that is available to users in our "Self Service." When the script is executed it asks the user for their current password and passes it into a command to essentially grant the user securetokenon, so that they are able to encrypt the drive on logout (how we have it set). I will say that i was facing this issue due to how we provision the local admin account. Since the local admin account is the first account created, they are granted the securetokenon. So the script uses the local admin creds to grant the non admin user account the access. Hopefully that makes sense. I can provide any more information needed! Here to help!
[~brandon - autobooks] Any chance you could share that script? I'm in the process of learning about FileVault so something like that would be beneficial to see how people are deploying it. I've only tested with a configuration profile deployment(with success) on Catalina thus far. We also deploy systems with a local admin account being created during the prestage and then we have users with AD accounts logging as mobile accounts. I've yet to work through the details to see if that's the direction I should go or if a script and policy makes more sense.
The script i created is located here - https://github.com/brnwn4/SecureTokenEnable/blob/master/SecureToken1.sh
I hide the admin credentials in the script and rather define them as parameters in JAMF!
Let me know if you have any questions... This was seriously a huge pain for me.
In return all i ask is to pick your brain on a different topic. How do you guys go about resetting password? We use JAMF in hand with Azure AD and we dont have the most ideal workflow right now when a user on an apple device forgets their password, also requires us to physically be at the machine.