Jamf Nation Community

"Institutional" is that what you're needing to know?

My understanding is that all a policy to deploy an "encryption configuration" is that it configures FileVault 2 deferred enablement via fdsetup. If you want to check that the policy is working as expected (at login), run:

host:~ user$ sudo fdesetup status

and you should see that deferred enablement is active for the user, which will prompt you to encrypt at the next logout. This is the expected behavior:

FileVault is Off.
Deferred enablement appears to be active for user 'nitong'.

The real test it seems is to cancel the encryption on logout and see if the dialog prompting to encrypt is presented on subsequent logouts. It isn't for us and we're working around this by calling the policy containing the encryption configuration from a script.

FastGM3,

Is your encryption configuration set up similarly to this?

external image link

If so, it's using fdesetup's deferred enable as Tong mentioned. It will prompt the current logged-in user for their password at logout, but it won't do it as a login option.

This is not a Casper bug, it's how fdesetup is currently handling deferred enablement of FileVault 2 encryption.

Thanks,
Rich

Rich,

Yep that's my config. So, is there anyway to do it at login?

Thanks

@FastGM3: Deferred enablement prompts the user at logout only, by default and by design. From man fdesetup:

The -defer option can be used with the enable command option to delay enabling FileVault until after the current (or next) user logs out, thus avoiding the need to enter a password when the tool is run. The user will be prompted at logout time for the password, at which point an attempt will be made to enable FileVault. If the volume is not already a CoreStorage volume, the system may need to be restarted to start the encryption process. Logout dialogs are automatically dismissed and canceled after 60 seconds if no interaction occurs and the user will be prompted again at the next logout time.

Hope this helps!

Does anyone knows where the logout defer script is located?
I would like to disable the Cancel button and keep the prompt window running permanently so the logged user has no option anything than putting the pw in at logout. This way I will make sure the Mac will be encrypted.

Pretty sure it is not a script, but rather an Apple binary tool. Modifying its behavior may be nearly impossible.

If that behavior does not mean your needs, you might need to create your own tool, wrapping fdesetup, or adapt the Crypt tool (https://github.com/grahamgilbert/Crypt) for your use.

Good article here on everything you want to know about fdsetup: http://derflounder.wordpress.com/2012/07/25/using-fdesetup-with-mountain-lions-filevault-2/

My mistake was doing Institutional only keys, you actually want both Individual and Institutional. Otherwise, from what I can tell, you cannot later add additional users to FileVault 2 without involving your end user. If you capture the Individual Recovery Key, you can use that and a plist to enable additional users at the command line.

Sadly, the ability to use the individual recovery key in place of an authorized user's password is currently broken in Apple's fdesetup tool. I first noticed the issue with 10.8.2's fdesetup and it's still the case in 10.8.3.

At this time, I don't have an ETA from Apple on when this issue will be fixed.

Yep, I just found that out this week when I attempted to add a user...lovely.

@rtrouton, do you know if the issue you refer to about individual recovery key was fixed? I'm on 10.9 at the moment and when I enabled Institutional and Individual in my configuration in the JSS my user account was set to deferred enablement.

So are we saying that at this time we still can only do institutional or am I missing some way around this? We want the current or next user to be setup with Institutional and Individual.

Thanks!

@ernstcs][/url

The ability to use the individual recovery key in place of an authorized user's password works in 10.9. For more details, please see my post on Mavericks and fdesetup available here:

http://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/