Jamf Nation Community

Ditto as with @rderewianko - Only the assigned user. If we need access, that's what the Recovery Key is for. Even with the management account hidden from users, some of them locate it anyway and muck with things. If it was plainly visible we'd have all sorts of additional issues.

FWIW, we have requested to Apple that they find some way to set up FileVault 2 so the regular Username & Password fields show up at pre-boot instead of List of Users (optional). The way it is now is almost a security issue since it reveals which account(s) can unlock the Mac. I'd prefer it didn't do that. Then we'd actually consider adding the management account to the authorized list since it wouldn't show up right at the login screen.

For our organization we setup our workstations prior to delivering them to the end user. This includes logging in as the user at least once using their Active Directory credentials prior to their start date to ensure everything is working properly.

Since all of our portable systems must have encryption enabled (at all times) and the end user needs to be able to boot the system, we enable this policy to execute upon first checkin after enrollment. Here's the policy we're using and it's scope:

Install_FileVault Encryption (Policy)

Trigger: Recurring Check-in
Action: Apply Disk Encryption Configuration
Maintenance: Update Inventory
Scope: deploy_FileVault Encryption (Smart Group)

deploy_FileVault Encryption (Smart Group)

Model like MacBook Pro
and FileVault 2 Eligibility is Eligible
and FileVault 2 Partition Encryption State is Not Encrypted
and Computer Group member of All Managed Clients

Some Things to Know:

The policy will execute even if the machine is at the Login Window. This enables the encryption process to automatically defer to the next new user to log into the system. In our case, the end users account.

The policy will defer to an existing user (management account, localadmin, etc) but ONLY if the policy executes during the next checkin AND that user is logged into the system. However you will have the option to choose "Cancel" when logging out of that account.

Membership in the Smart Group will be true if the Filevault 2 Encryption State is Not Encrypted for ANY locally mounted volume. So if there is an external hard drive or USB drive connected that's not encrypted, the policy will execute again. However it has not had any adverse affects on performance for the end user.

We are haunted a lot by the FV2 and spend a lot of time on it.
The best practice from my experience is
1 Use configuration profiles->FileVault Recovery Key Redirection. So the JSS has the recovery key.
After restart the current user will be added to FV2 list
2 Create another local admin account(enable FV2 and allow the admin user to manage the computer) if necessary. This could be convenient if a user lost their password instead of inputing a long recover key.
3 If you want to hide some account, the UID of the account has to be lower than 500.

Alright, thank you all for your responses.

I've deployed it with self service for current users, as I need to explain to them how it works and why we're doing it. I prefer doing that in person with them to clear out any questions they might have about the encryption process.

For all new users I've set I set it up right after imaging so that it's encrypted when they receive the machine. And I'm only encrypting the user account and not the admin account.

@rderewianko

With regards to changing the users password, are you using Active Directory or Open Directory? I tried that, and when finally getting to the users login screen, the new password we changed it to does not work..why I don't know, as it should still authenticate to AD at that point.

Thoughts?
-A

@ooshnoo is the machine connected to the network when the user logs in? If you're changing the password and the machine has no way to communicate back to the AD server the machines password won't be updated.