FileVault Problems with Big Sur, jams pro and jams connect

BookMac
New Contributor II

Hey guys,

 

we are using jamf pro with jamf connect(we have Azure AD) and all our clients have big sur installed. We are deploying a hiden admin with prestage enrollment. Our users are local users without admin rights. We have configured a configuration profile to activate our macs with filevault. At first we have used the configuration profile with the logout option. But a few macs have problems to activate filevault. I changed to logon. But there are problems too. At first we also have clients were filevault is not activated. And on the other hand filevault is activated but in jamf are no keys visible and there are not the same entries under filevault. In my opinion it looks random if it works or not. When filevault is not activated we reinstall the mac.

Since this week I figured out that if I add a new configuration profile for filevault, jamf is adding a certificate payload in this profile. On my first configuration profile was nothing like that.

May someone help me or give me a hint. We are using jamf pro since may and I don’t have much experience with jamf. I read some articles here and found threads with secure token and bootstrap token but my experience is also zero there. 😞

Where can I find some useful logs or a best practice to use filevault?

 

Cheers from germany

8 REPLIES 8

Smithamborough
New Contributor

Additional login prompts for users—When FileVault is enabled on a computer with macOS 10.15 or earlier, a login screen is displayed before macOS launches via an extensible firmware interface (EFI). This login screen is built-in at the EFI level or a special boot loader in computers with the T2 chip. liteblue The user must enter their FileVault password to unlock the boot drive and launch macOS. Once unlocked, FileVault passes the user's password to the macOS loginwindow application and automatically logs in the user and loads the Finder. 

NOVELLUS
Contributor

Hi @BookMac

on my experience, it is not possible to auto-enable other users to FileVault. We had the same situation and created a visible and a hidden local administrator on our Macs but it was not possible to give them permission to FileVault with a policy or other methods. There is an interesting article at this community, telling about a shell script, that seems to solve this issue, but I was not successfull on my tests. (see here: https://www.jamf.com/jamf-nation/discussions/28939/securetoken-for-admin-accounts)
Regards from Germany, too 😉

beeboo
Contributor

i just got some light confirmation from my TAM/support and we are running into something similar, though not the same

difference is that our users are admins

 

While the hidden account gets the secure token, the user created during setupassistant does not hence i have to deploy a script to run in self service that uses applescript and jamfhelper to ask the user to enter their creds.

Thats the only way i have been getting my users to get FV2 enabled properly.

Almost assuredly all my new enrollments, even going back a few months, have failed FV2 enablement, and the user has FV2 stuck in deferment

 

"It looks like we may be running in to an open product issue here - PI-007582. An Apple bug, FB7361976, has also been created in conjunction with this."

- Jamf support

BookMac
New Contributor II

May you show me your script pls? So if FV2 is not enabled the user has to run the Script in Self Service, the user enters the credentials and then FV2 is enabled or is a reboot necessary?

 

Cherrs

CurrentUser=$(stat -f%Su /dev/console)
UIDCurrentUser=$(id -u "$CurrentUser")
adminPASS="{enter info here}"


jamfHELPERHEADER="{enter info here}"
jamfHELPERicon="{enter info here}"
jamfHELPERbody2="{enter info here}"

popup=`/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -description "$jamfHELPERbody" -heading "$jamfHELPERHEADER" -icon "$jamfHELPERicon" -button1 "Continue" -defaultButton 1`

if [[ "$popup" == "0" ]]; then]
	#Ask User Password
	userPassword=$(/bin/launchctl asuser "$UIDCurrentUser" sudo -iu "$CurrentUser" /usr/bin/osascript -e 'Tell application "System Events" to display dialog "Password for user: '${CurrentUser}'" default answer "" with title "{enter info here}" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')
	#Enable SecureToken for the CurrentUser and adminUser
	sysadminctl -adminUser {admin username} -adminPassword $adminPASS -secureTokenOn $CurrentUser -password $userPassword
	#Notification
	/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -description "$jamfHELPERbody2" -button1 "Ok" -icon "$jamfHELPERicon"
fi

exit 0

 

Script is in self service in case users feel funky about the pw prompt, so it feels more legit

user gets prompted for their password using osascript, and osascript will show the current users username so its more personal instead of just asking for a password.

you may need to add a PPPC profile for osascript/jamfhlper/terminal but thats about it, otherwise they will get a prompt to allow that in Security & Privacy, but thats like a 2 second process at most.

 

A reboot is ideal with a validation using terminal commands to ensure securetoken is passed off and fdesetup status is ENABLED

BookMac
New Contributor II

Hi,

i've tried the script. I've got an error in line 19. And deleted 

if [[ "$popup" == "0" ]]; then]

and

fi

 The Script is running now and i got the popup in self service but in the policy logs i get this:

Details

there's a typo there, 

then]

should just be "then"

 

 

for the admin credentials are you putting in the right credentials and ensuring that the user has a secure token to pass off. 

BookMac
New Contributor II

thx for the hint with the typo.

yes the admin user is fv2 user and has a secure token. if i change the line to

"sysadminctl interactive -secureTokenOn $CurrentUser -password $userPassword"

a popup appears where i enter the name and the password of the admin and this works but is not silent.