FileVault Group Calculation

Kaltsas
Contributor III

We are in the process of encrypting all of our laptops, per security office directive. I have had a saved search based on the following criteria.

FileVault 2 Status is not Boot Partitions Encrypted
and
Model like Macbook

After updating to 9.62 I noticed the clients in this saved search jumped dramatically. Looking at the clients now showing in the search I can see they are

Macintosh HD (Boot Partition)
FileVault 2 Partition Encryption State:Encrypted

ala boot partition is encrypted.

Upon looking it appears that the JSS is not calculating the search correctly based on the FileVault 2 Status criteria. I can search for something like FileVault 2 Status is No Partitions Encrypted and the JSS returns clients that have one or more partitions encrypted.

Wondering if anyone else can replicate this behavior before I harassed our TAM. Or if I'm just messing up the logic (though single criteria No Partisans Encrypted seems pretty hard to mess up)

18 REPLIES 18

thoule
Valued Contributor II

I think JAMF's FV status is returned through config profiles which seem flaky on anything but 10.9+ machines. Rich Troutons script to look at FV2 status is the most reliable. I think this is the one I'm using - works well. https://derflounder.wordpress.com/2011/10/13/filevault-2-encryption-status-check-script/

davidacland
Honored Contributor II
Honored Contributor II

Thats the same for our JSS (on 9.61).

I'm trying:

FileVault 2 Partition Encryption State is "Not Encrypted"

and it shows up the ones that are encrypted.

Kaltsas
Contributor III

It calculates correctly if i use disk encryption configuration as the criteria but I've been told not to make an effort to reencrypt laptops that were encrypted before I implemented casper. Thanks for the verification, I'm going to look at rich's EA but I will also poke our TAM.

mm2270
Legendary Contributor III

I second using an Extension Attribute for this. While we're not using Rich's, we have one that is similar and its much more reliable for us. We've always had weird results using the built in one from JAMF.

guidotti
Contributor II

Remember that there was a defect for status that was fixed in 9.62...
Not sure of the exact information here; maybe Rich or a JAMF associate can jump in.
There are three defects listed as fixed in the release notes with the word FileVault.

thoule
Valued Contributor II

@guidotti Looks like something was addressed there.
Note: JAMF/Apple are beginning to recommend Profiles instead of policies for filevault on 10.10 and up.

Fixed in 9.62
[D-007885] Fixed an issue that caused the JSS API to return the FileVault 2 encryption status as "Not
Encrypted" when a computer with OS X v10.10 was encrypted.

Still outstanding:
[D-007823] Policies configured to require users to enable FileVault 2 in a disk encryption payload fail to
do so on a computer with OS X v10.10.

guidotti
Contributor II

That last one must be why my encryption payload policy does not work on OS X 10.10.1...

Kaltsas
Contributor III

I opened a ticket with JAMF, on further investigation the groups only calculate incorrectly for 10.10 clients. I am looking at rich's fine EA but JAMF should fix this.

If I do the following

Model like MacBook
FileVault 2 Status is not Boot Partitions Encrypted Operating System like 10.10.

It returns 38 10.10 clients, almost all of them have the Boot Partition Encrypted. When it should return the 4 10.10 clients that don't have the boot partition encrypted.

mm2270
Legendary Contributor III

Wasn't that fixed in 9.62, or is there still a defect around FileVault and 10.10 reporting? I'm confused. I'd like to know since we're beginning to do heavier 10.10 testing/image building to get something out to clients soon. Not having correct FileVault 2 reporting won't be a good thing. Are we going to have to wait for 9.63?

chriscollins
Valued Contributor

9.62 has fixed the issues where the File Vault Status for boot volumes was not being reported correctly for 10.10 machines.

Kaltsas
Contributor III

The status is being reported correctly when you look at the client information, its just not calculating smart group/search correctly when using FileVault 2 Status as criteria.

chriscollins
Valued Contributor

@Kaltsas not sure what the issue is in your environment but our smart groups before 9.62 would not add 10.10 machines that had "FileVault 2 Status" criteria set to Boot Partitions Encrypted but after we ran the update within a minute it added all of our encrypted 10.10 machines to the smart group.

zmbarker
Contributor

@Kaltsas @mm2270 @chriscollins In my findings on 9.62. I have 2 10.10.1 machines sitting on the same desk with FV2 enabled.

In JSS on the "FileVault 2 Partition Encryption State:" within the Disk Encryption section:
Machine 1 reports -- Encrypted
Machine 2 reports -- Yesterday at 4:30 PM

It appears the information is being reported the same, however Machine 2 reports are shifted down. Not sure if this is just the web interface or if it is indeed in different locations in the SQL database table. I am curious if this is what might be causing the calculations off. My calculation reports back 1 machine instead of 2 machines.

mm2270
Legendary Contributor III

Huh, that's odd. I would get a screen shot of that over to your account rep asap. If this is what its doing, then yeah, something is being shifted somehow in the reporting, because "Yesterday at 4:30 PM" is obviously not a FileVault 2 encryption status :)

zmbarker
Contributor

@mm270 - I sent it over to my account rep just now.

zmbarker
Contributor

Strangely enough Machine 2 is all of the sudden is reporting correctly, and it is now added into the smart group. I did nothing to fix the issue, except close out of the Machine 2 computer details .est 10 times and now it is reporting correctly. It is good that it fixed itself, Not good if this happens on a lot more computers.

mm2270
Legendary Contributor III

Hah, gotta love when things mysteriously fix themselves. I wonder if it was just a browser cache issue? What browser are you using when viewing it? FWIW, I now use Firefox exclusively when working in the JSS, because Safari basically sucks when in the JSS v9.

guidotti
Contributor II

Yes, Safari randomly drops the sidebar from JSS 9.62 for me...