Essentially I have an enrollment script that calls on the custom trigger "FV2" to run, all using jamfhelper.
During DEP enrollment, user needs to auth to Okta then create a local account using setup assistant. That user is an admin.
However, based on my current settings, the hidden management account gets the secure token and does not pass it off to the account created during setup assistant.
That poses a problem as now users can see the name of the hidden account, and its also kinda ugly. Secondly, without a secure token i have to push a script that uses osascript to have the user auth to get the token.
The goal, if possible is to keep the management account hidden, though that seems more and more impossibly as thats the account needed to auth to FV2 if a user is termed.
I also dont want to pester users to auth to osascript to enter their creds as its understandably sketch.
Here is my prestage enrollment
unsure if i need to check "Make the local admin account MDM enabled" or not
Additional oddity is that Filevault is shown as an option to skip in prestage but NOT editable/selectable when i edit the page
Any ideas on what I could be missing?
The worst part is that it seemed to be working when the old script called on DEPNotfify but I have since changed to jamfHelper so that I rely more on native apps.
Based on everything I've seen here, it looks to be correct and should work accordingly, but when i look at new hires and also the FV2 log:
|Executing Policy [Enrollment] FileVault 2|
FileVault is Off. Deferred enablement appears to be active for user '$USER'.
On macOS 11 Apple changed FV to where it gives the very first user on the Mac the Secure Token, which may be what you are seeing. The only way to prevent what you are seeing as I understand it is to differ enabling FileVault until after the user logs in.
If you are using mobile accounts that brings in the bootstrap token and a whole different set of complications. However the waiting until after the user logs in to turn on FileVault is still the best practice.
I have found FileVault to be incredibly messy and not enterprisable in the slightest. I really wish they would give an option to separate FileVault authentication from the user account kinda like how BitLocker does. That or let us programmatically grant access to FV without needing to manually can credentials in a script to pass around a token. This entire KEK Secure/Bootstrap token thing just does not work.
@pkleiber you are referring to this part right?
all accounts are local
devices are shipped directly to the user and ABM
then they set it up per the prestage enrollment.
We are deploying mainly big sur, but there are the occasional Catalinas out there.
so this line would be added to my enrollment script targeting the account created during setup assistant and not the hidden management account ya?
sudo dscl . append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"