Jamf Nation Community

dmitchell · ‎07-25-2018

I have been tasked with enabling Firevault on our Macs, for some reason we didn't enable this to begin with but now I need to do it, at least for new Macs going forward.

I created a config profile and tested on Mac, it worked fine when I logged out the user account however it's not writing the key to JSS. I thought I may have screwed up, I didn't use an institutional key.

So what is the proper way to setup FileVault to have it write the key to JSS?

We are running the latest JSS and this will refer to 10.13 machines only

mkolb · ‎07-25-2018

Hi,

I think you won't be able to deactive FileVault as long as it has not been done activating it. So maybe it takes some time, depending on the size of the volume.

Regarding the reporting is the question which version of the JSS are you using and which version of macOS is running on the client? There were some changes with macOS 10.13.

Greetings,
Marco

dmitchell · ‎07-25-2018

Oh damn, I forgot that info. @mkolb latest JSS, 10.13 Macs. The Mac I tested on sat there for 15 hours or so, drive was encrypted but no key written to JSS. Deactivating issue was me not paying attention. I didn't unlock the preference pane to turn off FileVault, I am good now as far as deactivating does.

mkolb · ‎07-25-2018

No problem.

With 10.13. it can be a little confusing as the "FileVault Recovery Key Redirection" payload in the configuration profile DOES NOT WORK!

Instead you have to use the Security & Privacy payload. At "File Vault" you can find an option called "Enable Escrow Personal Recovery Key". This is what you need. Enter the URL of the JSS and it should work.

Hope this helps with the reporting issue!

dmitchell · ‎07-25-2018

@mkolb

Where do I put the jss url? Those fields are just descriptions aren't they?

Also do you know what happens with machines where FileVault is already enabled? Can the JSS grab the key or is there a way to pull the info?

mkolb · ‎07-25-2018

You enter the JSS URL in the "Escrow Location Description" field. And yes, it should also work to get the key if FileVault is already enabled.

dmitchell · ‎07-25-2018

Actually I see the key stored in the management tab now. That was strange. I guess I did have it setup right, but I still don't see a place to add the JSS URL

dmitchell · ‎07-25-2018

@mkolb Thanks! I should be good now.

mkolb · ‎07-25-2018

Okay .. my bad. Should have read the tiny text more carefully :P

OF COURSE it will get stored inside the JSS the configuration profile got pushed from..

What you enter in this field is just the text, that get's shown to the user when FileVault gets enabled. Something like "Your trusty IT Department" and then the user would get a message like "Your FileVault recovery key will be stored at Your trusty IT Department".

So yes.. should work to report no matter what you enter there... sorry for the misunderstanding!

scottb · ‎07-25-2018

You may need to run a recon to get the keys. I've found that to be the case after the Profile/Policy has been deployed.

phredman · ‎05-02-2019

you ever create the config profile and test and test and get nowhere, then realize you forgot to add the scope? Asking for a friend.

Jamf Nation Community

FileVault config and storing the key in JSS