FileVault 2 with Zero Touch Deployment - Best Practices?

Great, thank you!

The discussion at the first link had sufficient information for me to solve my issues.

1) Use a policy, not a Configuration Profile + PreStage
2) I set the Disk Encryption Configuration to Individual, on "Current or Next User". We do not plan to use Institutional keys.
3) Set the Disk Encryption to "At next login"
4) Set policy trigger to "Login" & "Enrollment Complete" and "Once per computer".

I may update the "Once per computer" to instead be "Ongoing", and then change the scope to a Smart Group that just includes Macs that are not presently encrypted once I verify all this works properly.

Based on initial testing, both of my issues are resolved - it does not prompt the user to save their key, and it does not present a dialog where there is no mouse cursor.

Hey @NullPointer I'm curious how well that workflow has been working for you! I'm looking at fixing our workflow which is a much more manual process for our onboarding team.

• Users enroll via DEP
• After set up launch self service and run an activate filevault policy which enables and logs the user out.

I'm curious if your flow above has been working well and if you've run into any roadblocks/concerns.

@ronnie.leblanc Not who you asked, but I use the same setup to enable FV on all my 1:1 machines. A Policy gets called during my DEPNotify workflow, current or next user, at login, and at the end of my DEPNotify workflow is another Policy that calls softwareupdate, then reboots, ensuring that a "login" will occur very soon after the Mac is deployed. Still works on Catalina thus far. I've also started including an "activate FV" payload in my FV Escrow profile, so if for whatever reason something happened during DEPNotify that cancelled the setup, I have that to fall back on.

@ronnie.leblanc It has been working very well.

The only remaining pain-point is that it's still a policy that has to be scoped to the computer manually, rather than a configuration profile that can be scoped to the pre-stage enrollment and then gets applied automatically when the computer is first booted. I have it added to a group that configures all of our policies, and any new laptops get added to that group, but we still have to boot the computer once so it shows up in Jamf before we can add it to the group and enable FV2. So we're still not 100% at "zero touch deployment", but the particular issues I mentioned in the OP are completely resolved by this method.

@gachowski how do you deal with escrowing the keys if you are not using a config profile?

we have it working here but use a combo of it.

config profile to force key escrow but NOT FV
policy runs to kick off FV for next login
however, our best success rate is manually enabling FV on the machine (which is essentially the same as doing the FV policy)
then we log into each successive admin account that we need to ensure has the securetoken.
note though, somehow running it in SS doesnt exhibit the same result, even though we are using the actual FV policy

if we do it without a config - how does it know to escrow the key to jamf?

@wmehilos can you explain your escrow policy please?

@ronnie.leblanc why not just scope it to all machines with FV status off/disabled?

@NullPointer What is the difference between "Once per computer" and "Once per computer and user" ?

What worked for us in getting FV enabled at user creation (or, actually, right after) was setting up a 'Disk Encryption' payload policy that would
- trigger at 'Enrollment'
- 'Once per Device'
- enable FileVault at next login
- AND set the Restart variables to 'Restart Immediately'

This ensued that right after _mbsetupuser was done setting up the mac, it would reboot and force the user to enable FileVault before logging in.

Why have the user enable it? Seems odd that you would allow the user to have that control. 

Personally, I've been requesting the ability to enable FileVault right during the initial Management enrollment process, when the user Setup Assistant shows the screen that their device is managed by xyz.inc

Yeah. I meeting with support again and we agreed that this needs to be accomplished and should come out of the box. No brainer. If I can create a script or something I will respond here. If we need to escalate to feature request, needs to be done. It is reckless to do it any other way and you'll blow iso's tsiax and such cause it has to be done by the IT teams rather than users, In addition, 0 touch and warehouse imagining is the newest thing in IT. So, we're getting out of the shipping business now. I wish Jamf stopped thinking higher ed. 

Update to my 2019 post.... You can do it right out of the box now that the Security Configuration Profile has been updated (props to Jamf I know tons of work went in to this improvement)

1. 

2. And a policy that runs after enrollment. 

3. And bonus you don't need any extra user notification apps like SplashBuddy or DEPnotify 

 : ) 

@Timothy_O 

Did you reach-out to Apple? It's a big ask for Jamf to change the " initial Management enrollment process" that is very controlled by Apple. 

I do agree with you 10,00 % however I think it's an Apple issue not a Jamf issue.  : ) 

C

This is a great example of where Apple tells everyone they are enterprise company and then not so much. I will go as far as saying that FV is an enterprise only feature and auto encrypting and storing the FV key in the MDM should have been the 1st macOS MDM feature not us asking for it years later. Even my workaround the user still forced to do two clicks, a true MDM protocol would have no user interaction. I fear that we are going to have to keep waiting as I am guessing that all the MDM protocols are being reworked to do Declarative Management.  : ( 

C

I did not. Not that I have Tim's number, and anything less of direct mass action is, from experience, a drop in the sea.

I do understand that keeping an ear out for partners like Jamf is something they were vocal about (at last at JNUCs). Hence, Jamf is in a very auspicious position to suggest, on behalf of their clients, that this feature is wanted, and would be beneficial to have implemented.

@gachowski I would like to know what script you using in the policy. And if "Allow users to bypass FileVault prompts at login" option in the configuration profile needs to be Prompt way.

@SyntaxError 

The script is to install rosetta 2 from  : ) 

https://derflounder.wordpress.com/2020/11/17/installing-rosetta-2-on-apple-silicon-macs/

I set "Allow users to bypass FileVault prompts at login" to "Required on the next login"  that way the user can't bypass it... I have never tested "Prompt Way" however  I assume, that it will allow the user to cancel the encryption and continue to the the desktop.