Filevault Configuration Profile not encrypting

Contributor III

I have a configuration profile for filevault to encrypt certain machines and escrow the PRK to the jss. This worked on two machines but now the rest of them aren't encrypting at all. They're in scope and have the config profile. It is a computer level profile, does it need to be switched to user level?

Also the computer does restart after it receives the profile, on the first two machines it gave the regular "enter your password for filevault" and "here is your recovery key" dialogues. None of the others will even after restarting multiple times and connecting to power. All Machines are running 10.13.3 so I'm not sure why the first two worked and the rest aren't



We are totally in the same boat. Ordered a bunch of machines that shipped with 10.13.3, config'd them and only 2 or 3 times out of 10, FV would kick off on logout as is expected. We have a configuration profile very similar to your own, except in our's we also have the FileVault Recovery Key Redirection payload configured to redirect our Jamf Pro server. Per Apple, the easiest way to kick this off is to literally go into the Security & Privacy GUI and turn it on for the (first) user you want it enabled for, or do so via fdesetup in a script/command line. Another option is to do what we internally call "resetting MDM" which involves removing the MDM profile, then re-adding it; this effectively forces the machine to check-in with Apple and re-receive all of it's configuration profiles it is meant to"enforcing" the managed settings. In our experience, this almost always triggers encryption, prompting the user for their password, and (if enabled) prompting them with the PRK on next logout.

I've been meaning to submit a help ticket to Jamf or Apple about this, but have not got around to it yet.

Contributor III

@timlarsen I talked with someone in the Macadmins slack and they pointed me in the right dirrection. The profile was being applied before the user account was created so it was enabling filevault for the setup user (_mbsetupuser).

To check this read the plist on the machine.

defaults read /Library/Preferences/

It'll show the user it's enabled for. If it's like mine, you'll want to turn off the config profile temporarily and do a sudo fdesetup disable on machines that have it set to the setup user. Once they restart you should be able to apply the profile again. On a side note, I learned today that you can add a local user exclusion on config profiles. I added one for _mbsetupuser so this doesn't happen again (I hope)

New Contributor

@asnyder Did adding the exclusion for the _mbsetupuser work for you?