FileVault 2 with Zero Touch Deployment - Best Practices?

NullPointer
New Contributor III

I'm new to Jamf, and I've recently inherited a Jamf network of about 200 Macs. My current task is to get Zero Touch Deployment fully functional, so we don't have to do any manual staging on Macs before they are handed to the users. (We are part of Apple's DEP/VPP, and that much works fine.)

tldr; What is the best way to enable FileVault 2 so it deploys automatically, as silently as possible, as soon after initial enrollment as possible?

My goal is to have all of the Macs have FileVault 2 enabled, with the individual encryption recover keys redirected to Jamf server.

I've experimented with both a Configuration Profile, assigned to the PreStage Enrollment, and with a Policy, and both have rough edges that I'm not sure how to smooth out.

There are two specific things that I'd like to remedy:

1) It always pops up and tells the user their recovery key, and cautions them to keep it in a safe place. Is there any way to hide this without resorting to an Institutional Recovery Key? I don't mind users having their recovery key, but I don't like that part of the setup process requires advanced explanation (e.g., you don't need to keep your key, we keep it for you) - I'd rather it be as silent as possible so they don't have to worry about it.

2) When FileVault is deployed as a Configuration Profile and enabled as part of the PreStage Environment, it triggers upon first shutdown. The problem is that it seems the desktop process shuts down before FileVault is finished, so when the final confirmation dialog appears, there is no mouse cursor anymore to click on the dialog; the box is not active, and neither Tab nor Command-Tab work to make it active. Anything you hit on the keyboard just makes the Mac emit an alert sound. The only way I have found to dismiss it is to click around randomly with an invisible cursor until you get lucky and hit the pop-up, then you can hit enter and dismiss it.

I've searched around a fair bit in the docs and Jamf Nation, and haven't found recent discussions/documentation that address my concerns. This doc is the best I have found: https://docs.jamf.com/technical-papers/jamf-pro/administering-filevault-macos/10.7.1/Introduction.html

Any advice on minimizing user confusion when deploying FileVault 2 in a Zero-Touch environment? :)

Thank you!

1 ACCEPTED SOLUTION

gachowski
Valued Contributor II

You are going to need a use custom Config profile to start . Take a look here..

https://www.jamf.com/jamf-nation/discussions/33538/catalina-filevault-enablement

Also I recommend enabling FV on login.. it's the only way to force the user to start FV, if you enable it on log out they can cancel over and over...

and the last thing read Rich's blog...he is the expert.

https://derflounder.wordpress.com/category/filevault-2/

Hope this helps and good luck!!

C

View solution in original post

16 REPLIES 16

gachowski
Valued Contributor II

You are going to need a use custom Config profile to start . Take a look here..

https://www.jamf.com/jamf-nation/discussions/33538/catalina-filevault-enablement

Also I recommend enabling FV on login.. it's the only way to force the user to start FV, if you enable it on log out they can cancel over and over...

and the last thing read Rich's blog...he is the expert.

https://derflounder.wordpress.com/category/filevault-2/

Hope this helps and good luck!!

C

NullPointer
New Contributor III

Great, thank you!

The discussion at the first link had sufficient information for me to solve my issues.

1) Use a policy, not a Configuration Profile + PreStage
2) I set the Disk Encryption Configuration to Individual, on "Current or Next User". We do not plan to use Institutional keys.
3) Set the Disk Encryption to "At next login"
4) Set policy trigger to "Login" & "Enrollment Complete" and "Once per computer".

I may update the "Once per computer" to instead be "Ongoing", and then change the scope to a Smart Group that just includes Macs that are not presently encrypted once I verify all this works properly.

Based on initial testing, both of my issues are resolved - it does not prompt the user to save their key, and it does not present a dialog where there is no mouse cursor.

ronnie_leblanc
New Contributor

Hey @NullPointer I'm curious how well that workflow has been working for you! I'm looking at fixing our workflow which is a much more manual process for our onboarding team.

  • Users enroll via DEP
  • After set up launch self service and run an activate filevault policy which enables and logs the user out.

I'm curious if your flow above has been working well and if you've run into any roadblocks/concerns.

wmehilos
Contributor

@ronnie.leblanc Not who you asked, but I use the same setup to enable FV on all my 1:1 machines. A Policy gets called during my DEPNotify workflow, current or next user, at login, and at the end of my DEPNotify workflow is another Policy that calls softwareupdate, then reboots, ensuring that a "login" will occur very soon after the Mac is deployed. Still works on Catalina thus far. I've also started including an "activate FV" payload in my FV Escrow profile, so if for whatever reason something happened during DEPNotify that cancelled the setup, I have that to fall back on.

NullPointer
New Contributor III

@ronnie.leblanc It has been working very well.

The only remaining pain-point is that it's still a policy that has to be scoped to the computer manually, rather than a configuration profile that can be scoped to the pre-stage enrollment and then gets applied automatically when the computer is first booted. I have it added to a group that configures all of our policies, and any new laptops get added to that group, but we still have to boot the computer once so it shows up in Jamf before we can add it to the group and enable FV2. So we're still not 100% at "zero touch deployment", but the particular issues I mentioned in the OP are completely resolved by this method.

beeboo
Contributor

@gachowski how do you deal with escrowing the keys if you are not using a config profile?

we have it working here but use a combo of it.

config profile to force key escrow but NOT FV
policy runs to kick off FV for next login
however, our best success rate is manually enabling FV on the machine (which is essentially the same as doing the FV policy)
then we log into each successive admin account that we need to ensure has the securetoken.
note though, somehow running it in SS doesnt exhibit the same result, even though we are using the actual FV policy

if we do it without a config - how does it know to escrow the key to jamf?

@wmehilos can you explain your escrow policy please?

@ronnie.leblanc why not just scope it to all machines with FV status off/disabled?

ThierryD
New Contributor III

@NullPointer What is the difference between "Once per computer" and "Once per computer and user" ?

Timothy_O
New Contributor

What worked for us in getting FV enabled at user creation (or, actually, right after) was setting up a 'Disk Encryption' payload policy that would
- trigger at 'Enrollment'
- 'Once per Device'
- enable FileVault at next login
- AND set the Restart variables to 'Restart Immediately'

This ensued that right after _mbsetupuser was done setting up the mac, it would reboot and force the user to enable FileVault before logging in.

jmancuso
New Contributor III

Why have the user enable it? Seems odd that you would allow the user to have that control. 

Timothy_O
New Contributor

Personally, I've been requesting the ability to enable FileVault right during the initial Management enrollment process, when the user Setup Assistant shows the screen that their device is managed by xyz.inc

jmancuso
New Contributor III

Yeah. I meeting with support again and we agreed that this needs to be accomplished and should come out of the box. No brainer. If I can create a script or something I will respond here. If we need to escalate to feature request, needs to be done. It is reckless to do it any other way and you'll blow iso's tsiax and such cause it has to be done by the IT teams rather than users, In addition, 0 touch and warehouse imagining is the newest thing in IT. So, we're getting out of the shipping business now. I wish Jamf stopped thinking higher ed. 

gachowski
Valued Contributor II

Update to my 2019 post.... You can do it right out of the box now that the Security Configuration Profile has been updated (props to Jamf I know tons of work went in to this improvement)

1. 

Screen Shot 2022-03-17 at 3.57.47 PM.png

 

 

 

 

 

 

2. And a policy that runs after enrollment. 

Screen Shot 2022-03-17 at 3.59.12 PM.png

 

 

 

 

 

 

3. And bonus you don't need any extra user notification apps like SplashBuddy or DEPnotify 

Screen Shot 2022-03-17 at 3.59.33 PM.png

 

 

 

 

 : ) 

@gachowski I would like to know what script you using in the policy. And if "Allow users to bypass FileVault prompts at login" option in the configuration profile needs to be Prompt way.

gachowski
Valued Contributor II

@SyntaxError 

 

The script is to install rosetta 2 from  : ) 

https://derflounder.wordpress.com/2020/11/17/installing-rosetta-2-on-apple-silicon-macs/

 

I set "Allow users to bypass FileVault prompts at login" to "Required on the next login"  that way the user can't bypass it... I have never tested "Prompt Way" however  I assume, that it will allow the user to cancel the encryption and continue to the the desktop. 

gachowski
Valued Contributor II

@Timothy_O 

Did you reach-out to Apple? It's a big ask for Jamf to change the " initial Management enrollment process" that is very controlled by Apple. 

I do agree with you 10,00 % however I think it's an Apple issue not a Jamf issue.  : ) 

C

This is a great example of where Apple tells everyone they are enterprise company and then not so much. I will go as far as saying that FV is an enterprise only feature and auto encrypting and storing the FV key in the MDM should have been the 1st macOS MDM feature not us asking for it years later. Even my workaround the user still forced to do two clicks, a true MDM protocol would have no user interaction. I fear that we are going to have to keep waiting as I am guessing that all the MDM protocols are being reworked to do Declarative Management.  : ( 

 

C

I did not. Not that I have Tim's number, and anything less of direct mass action is, from experience, a drop in the sea.

I do understand that keeping an ear out for partners like Jamf is something they were vocal about (at last at JNUCs). Hence, Jamf is in a very auspicious position to suggest, on behalf of their clients, that this feature is wanted, and would be beneficial to have implemented.