FileVault Enable During Enrollment


Does anyone have a tried and true process for enabling FileVault during enrollment?

Our Mac's have been "out in the wild" for a few years, we've been slowly getting them all enrolled in JAMF. We initially enrolled most of the population w/o FileVault enabled (bad idea). We've since gotten most of them set up with FileVault with the recovery key escrowed in JAMF.

Anyway, now I am looking for a good method of enabling FileVault duing the enrollment process for new Mac users or stragglers who have not yet enrolled. I have a policy set up for FileVault, with the FileVault configuration payload set up. Set up for require at next log out, triggered for enrollment complete. Seems like it should work.

Problem that I am seeing is, it doesnt seem to run properly. Logs state: Deferred enablement appears to be active for user 'johndoe'

FileVault never seems to kick off...

We've been monkeying around with FileVault enforcement for a while, so I assume that's why.. just wondering if there's a way to fix this?



New Contributor III

@Bhughes , are you forcing a reboot with this policy (either immediate or delayed). I had a similar issue when forcing a reboot. The user will not be prompted at logout if the system forces the reboot. I opened a case with support and they said that is by design, not a defect. So, in that situation, the only way for the user to get prompted was for them to perform a manual restart. Also, I believe, even if they are prompted it will timeout if no action is taken.

Another option, which may work, is force a reboot but have enable at next login. I haven't used that method but it may work better in your situation.


@bkramps yeah, I have restart set to immediately. Yeah, enable at next logon might be a good approach. I will try that. Thanks!

Seems like this would be a pretty common need - I am surprised there isnt a more standard method.