Jamf Nation Community

Thanks that is very helpful and yes all our users have AD accounts. Do you know if it is possible to force FileVault to nag the user to authenticate and complete setup?

On your Yosemite Macs, does a configuration profile ask the user to logout? The El Capitan bug related to AD users I think is related to FileVault policies and triggers other than at logout. My company was the one that first reported this to JAMF.

On all your Macs with AD accounts, the following will work right now:

1. Create a FileVault configuration under Computer Management->Disk Encryption Configurations
2. Create a policy that applies the FV config you just created "at next logout."
3. You can test this by also adding a custom trigger and manually running the policy that way.
4. If you have a local admin on the machine, make sure to exclude it from the policy so that the policy only runs when the AD user is logged into the Mac.
5. Eventually, you will see a Notification asking the user to logout. At that point the user will need to enter their password and then the Mac will reboot with encryption enabled.

At this time, I think this is the only way that will work for enabling FileVault on El Capitan with AD users. OS X 10.11.2 is supposed to fix it so that the other triggers like "at next login" work again but "at next logout" definitely works right now.

With that said, we don't use a configuration profile to enable FV. We only use the profile to prevent users from disabling FV after the fact.

Make sure there is a working Recovery Partition present, if your using monolithic images it may not be being laid down / updated during imaging. We had a few machines like this during testing, you might find the ones that suddently start working have updated to 10.11.1 and this has somehow updated / fixed the recovery partition.

Benjamin the policy I am currently using applies "at next logout" so it never asks the users to logout, its just that when users in Yosemite logout they are prompted for a password to begin encryption but this never happens for users in El Capitan.

How are you triggering your policy? When the policy runs, it shows a Notification banner that asks you to logout in caps. Just to be clear, the logout setting I'm referencing is the "at next logout" for the Disk Encryption section of the policy, not the trigger for the policy. We don't trigger the policy at "logout."

We image 100 Macs per day and this works. Our policy trigger is "custom" because we created a tiny AppleScript app for the provisioner to initiate this for the user but I know "recurring check-in" works as well.

I have this same problem with 10.11. and the computers I have been testing are not AD joined?

So what I do for the time being is exclude the configuration profile from the computer when I realize that logout is not prompting for enablement (config profile is gone) then logout, remove the exclusion, (config profile is there) login (config profile is back) logout and it works. I get prompted for fv2 enablement

@bmarks sorry for the confusion, I am not using a policy to enable Filevault, I am using a Configuration Profile, it is set to "Require FileVault 2" "If not already enabled, FileVault 2 will be enabled at next logout"
@tcandela I will try your suggestion tomorrow and update.

@saunders4now I am using configuration profile also to enable FV2 (no policy). When computer gets enrolled (laptop) it gets the FV2 config profile.

Having the same issue on 10.11 and they are NOT AD bound !!

had to exclude any 10.11 computers from the Config Profile when the CP did not prompt for logout, (this removed the profile from the excluded computer), logged in as the user, then removed the exclusion so the computer got the profile a second time, it then prompted at logout.

what i also have started to do, was before enrollment, via static or smart group - add the 10.11 computer that will be enrolled, into the static/smart group (i use SN as criteria) and put that group into the FV2 Config Profile exclusion. Then after it gets enrolled i remove it from the static/smart group, it gets the config profile and I am good to go.

The bug that was previously mention is specific to El Capitan AD Users FileVault Policy Triggers. It doesn't have anything to do with configuration profiles and/or AD users. The policy issue is supposed to be addressed in 10.11.2. In the meantime, the steps I outlined above were tested with Apple and JAMF months ago and will work. But, again, those steps are only needed for AD users.

I don't mean this it sound critical, but it may be best to follow JAMF's white paper for enabling and managing FileVault (which makes no mention of using a configuration profile.) I could outline a bunch of technical reasons, but from a support standpoint it may be best to use the official method for managing FV. We use the configuration profile too, but mainly because it disallows the user from turning off FileVault, so we install it after the fact.

@bmarks I am surprised to hear that JAMF's white papers do not recommend using configuration profiles to manage FileVault, this Configuration Profile was created for us as part of our JumpStart.

Configuration profiles to manage FV are newer than using a policy... Also you have more options/control using a policy.

C

@saunders4now Interesting. When I took the CCE class within the last year, there was a FileVault section of the class and we didn't cover the configuration profile at all. We only used the white paper which hasn't been updated for El Capitan specifically but is still pretty current.

I think it's safe to say that El Capitan has issues with certain triggers for the FileVault settings, AD users or not. Whether they all get fixed with 10.11.2 is TBD, but I can only say that the one that I previously detailed is planned to be addressed. I highlight the word triggers because the configuration profile doesn't really have a configurable trigger option... the trigger is when it gets pushed via APNS. And, with a policy, the only setting that seems to work is the "at next logout" setting on the Disk Encryption pane of the policy (which technically isn't a policy trigger either.) As for the actual policy trigger, the only ones we tested and know work are "recurring check-in" and "custom." We use "custom" in our environment because it is our provisioners that must ensure that each Mac is encrypted before handing it to the user, so we created a tiny AppleScript app that gets installed on the AD user's desktop which, when clicked, basically just runs the custom trigger. Most environments probably don't need that, but I mention it only to note which trigger options we tested.

While it may seem simple when I describe it, it actually took us weeks of working with Apple and JAMF together to figure out which combinations of settings would work. For us, we were previously using the "at next login" option on the Disk Encryption pane of the policy, and it didn't dawn on anyone for way too long that toggling that setting might resolve the issue.

So currently I am using a policy to enable FV2 on next log in, as that creates a loop that requires the encryption or the Mac just keeps rebooting. I am thinking that, it might be better for longterm that I should move to a config profile.

Anybody /tried/using/know that if the enable FV2 profile respects fdesetup -forceatlogin 0?

Thanks

C

PS in my test it did not, but I was just guessing on the key...