Filevault Config Profile Not Working

New Contributor

Hi All

I was poking around Jamf last week, running some smart searches for an Audit when I noticed that around 100 or so of our devices are not Encrypted, despite us having a configuration profile that is supposed to force Filevault upon first logout. 

The configuration profile is - 

Enable Filevault - Enabled
Event to prompt - At Logout
Recovery Keys - Personal
Display recovery key to user - Hidden
Prevent filevault from being disabled
Encryption Method - Automatic

I have a couple of users to check that the profile is installed, and it is. And It starts the process upon logout as expected - but they are met with an error message "error while enabling filevault for this user"

Anyone got any ideas what could be going wrong here? 

Any help would be appreciated!


Contributor III

Have you verified that the user account getting the error has secureToken? 

This article explains a bit more about secure token:

I would run this command to see if the user getting the error actually has a securetoken 

sysadminctl -secureTokenStatus username_goes_here