FileVault Configuration Profile not Completeing on El Capitan

saunders4now
New Contributor

JSS Version 9.81 We have created a configuration profile to enable FileVault Disk Encryption and Scoped it to All Computers, to Install automatically at the Computer Level. When we install the Casper agent on systems running Yosemite this Configuration Profiles applies correctly and encryption begins on the next logout. However when we install the Casper agent on any system running El Capitan encryption never happens. Under inventory FileVault 2 shows Not Configured. When we check the Status of the Configuration Profile on on the JSS server logs it shows Completed for the El Capitan systems even-though Encryption is not enabled. Can anybody help us determine why this Configuration Profile does not work on El Capitan. (A few systems suddenly enable FileVault after a week with no intervention). Thanks in advance.

14 REPLIES 14

Kaltsas
Contributor III

There is a deferral bug in 10.11. In my experience it only affects AD accounts, so our workaround is run the policy while under a local user.

If you run fdesetup status it should show file vault is in a deferred state but it never "nags" the user to authenticate to complete setup.

It appears to be resolved in the 10.11.2 beta.

saunders4now
New Contributor

Thanks that is very helpful and yes all our users have AD accounts. Do you know if it is possible to force FileVault to nag the user to authenticate and complete setup?

bmarks
Contributor II

On your Yosemite Macs, does a configuration profile ask the user to logout? The El Capitan bug related to AD users I think is related to FileVault policies and triggers other than at logout. My company was the one that first reported this to JAMF.

On all your Macs with AD accounts, the following will work right now:

  1. Create a FileVault configuration under Computer Management->Disk Encryption Configurations
  2. Create a policy that applies the FV config you just created "at next logout."
  3. You can test this by also adding a custom trigger and manually running the policy that way.
  4. If you have a local admin on the machine, make sure to exclude it from the policy so that the policy only runs when the AD user is logged into the Mac.
  5. Eventually, you will see a Notification asking the user to logout. At that point the user will need to enter their password and then the Mac will reboot with encryption enabled.

At this time, I think this is the only way that will work for enabling FileVault on El Capitan with AD users. OS X 10.11.2 is supposed to fix it so that the other triggers like "at next login" work again but "at next logout" definitely works right now.

With that said, we don't use a configuration profile to enable FV. We only use the profile to prevent users from disabling FV after the fact.

Look
Valued Contributor III

Make sure there is a working Recovery Partition present, if your using monolithic images it may not be being laid down / updated during imaging. We had a few machines like this during testing, you might find the ones that suddently start working have updated to 10.11.1 and this has somehow updated / fixed the recovery partition.

saunders4now
New Contributor

Benjamin the policy I am currently using applies "at next logout" so it never asks the users to logout, its just that when users in Yosemite logout they are prompted for a password to begin encryption but this never happens for users in El Capitan.

bmarks
Contributor II

How are you triggering your policy? When the policy runs, it shows a Notification banner that asks you to logout in caps. Just to be clear, the logout setting I'm referencing is the "at next logout" for the Disk Encryption section of the policy, not the trigger for the policy. We don't trigger the policy at "logout."

We image 100 Macs per day and this works. Our policy trigger is "custom" because we created a tiny AppleScript app for the provisioner to initiate this for the user but I know "recurring check-in" works as well.

tcandela
Valued Contributor II

I have this same problem with 10.11. and the computers I have been testing are not AD joined?

So what I do for the time being is exclude the configuration profile from the computer when I realize that logout is not prompting for enablement (config profile is gone) then logout, remove the exclusion, (config profile is there) login (config profile is back) logout and it works. I get prompted for fv2 enablement

saunders4now
New Contributor

@bmarks sorry for the confusion, I am not using a policy to enable Filevault, I am using a Configuration Profile, it is set to "Require FileVault 2" "If not already enabled, FileVault 2 will be enabled at next logout"
@tcandela I will try your suggestion tomorrow and update.

tcandela
Valued Contributor II

@saunders4now I am using configuration profile also to enable FV2 (no policy). When computer gets enrolled (laptop) it gets the FV2 config profile.

Having the same issue on 10.11 and they are NOT AD bound !!

had to exclude any 10.11 computers from the Config Profile when the CP did not prompt for logout, (this removed the profile from the excluded computer), logged in as the user, then removed the exclusion so the computer got the profile a second time, it then prompted at logout.

what i also have started to do, was before enrollment, via static or smart group - add the 10.11 computer that will be enrolled, into the static/smart group (i use SN as criteria) and put that group into the FV2 Config Profile exclusion. Then after it gets enrolled i remove it from the static/smart group, it gets the config profile and I am good to go.

bmarks
Contributor II

The bug that was previously mention is specific to El Capitan AD Users FileVault Policy Triggers. It doesn't have anything to do with configuration profiles and/or AD users. The policy issue is supposed to be addressed in 10.11.2. In the meantime, the steps I outlined above were tested with Apple and JAMF months ago and will work. But, again, those steps are only needed for AD users.

I don't mean this it sound critical, but it may be best to follow JAMF's white paper for enabling and managing FileVault (which makes no mention of using a configuration profile.) I could outline a bunch of technical reasons, but from a support standpoint it may be best to use the official method for managing FV. We use the configuration profile too, but mainly because it disallows the user from turning off FileVault, so we install it after the fact.

saunders4now
New Contributor

@bmarks I am surprised to hear that JAMF's white papers do not recommend using configuration profiles to manage FileVault, this Configuration Profile was created for us as part of our JumpStart.

gachowski
Valued Contributor II

Configuration profiles to manage FV are newer than using a policy... Also you have more options/control using a policy.

C

bmarks
Contributor II

@saunders4now Interesting. When I took the CCE class within the last year, there was a FileVault section of the class and we didn't cover the configuration profile at all. We only used the white paper which hasn't been updated for El Capitan specifically but is still pretty current.

I think it's safe to say that El Capitan has issues with certain triggers for the FileVault settings, AD users or not. Whether they all get fixed with 10.11.2 is TBD, but I can only say that the one that I previously detailed is planned to be addressed. I highlight the word triggers because the configuration profile doesn't really have a configurable trigger option... the trigger is when it gets pushed via APNS. And, with a policy, the only setting that seems to work is the "at next logout" setting on the Disk Encryption pane of the policy (which technically isn't a policy trigger either.) As for the actual policy trigger, the only ones we tested and know work are "recurring check-in" and "custom." We use "custom" in our environment because it is our provisioners that must ensure that each Mac is encrypted before handing it to the user, so we created a tiny AppleScript app that gets installed on the AD user's desktop which, when clicked, basically just runs the custom trigger. Most environments probably don't need that, but I mention it only to note which trigger options we tested.

While it may seem simple when I describe it, it actually took us weeks of working with Apple and JAMF together to figure out which combinations of settings would work. For us, we were previously using the "at next login" option on the Disk Encryption pane of the policy, and it didn't dawn on anyone for way too long that toggling that setting might resolve the issue.

gachowski
Valued Contributor II

So currently I am using a policy to enable FV2 on next log in, as that creates a loop that requires the encryption or the Mac just keeps rebooting. I am thinking that, it might be better for longterm that I should move to a config profile.

Anybody /tried/using/know that if the enable FV2 profile respects fdesetup -forceatlogin 0?

Thanks

C

PS in my test it did not, but I was just guessing on the key...