FileVault Profile not enforced - how to reapply profile/ensure Disk encryption.

RJH
Contributor

Hi All,

Ongoing reader, first time poster.

Relatively new environment. - large corp - strict compliance rules - small number of Macs enrolled thus far, but Mac environment growing rapidly. Macs running Sierra 10.12.6 predominantly. JAMF 10.1 on premise, Win2016 server.
I am experiencing an issue with the Filevault functionality on the Macs, and in particular the requirement to enforce Disk encryption. All settings/policies/profiles have been setup and applied to enforce disk encryption using individual recovery key type. This works well, Macs that dont have Filevault enabled prior to enrol and for Macs with drives already encrypted. For the latter this is addressed via a script deployed via policy which then regenerates the recovery key. In both instances the recovery key gets escrowed to JSS successfully.
--> The issue is that if a user (with admin access) deliberately bypasses the above policies, and decrypts their disk. This cannot be done in sys prefs as its greyed out, but can an be achieved with few commands run in terminal. There are commands/scripts that can be run to re-encrypt the disk but these require user-input, which, if the user has turned off encryption deliberately, they could just ignore/cancel the script. I need a way to re-enable by stealth and within a relatively short time, to ensure compliance. Note: the policies and profiles for initial enrollment described above were implemented in conjunction with the JAMF engineer onsite during the JumpStart engagement and as stated work well, as long as a user does not then disable.

thanks all..

5 REPLIES 5

jalcorn
Contributor II

What about a smart group that encrypts any unencrypted drives?

Sure it wont be stealth but it will get back on and if someone did it on purpose they would know it can just get turned back on. Also you could have the group alert you if there are machines unencrypted so you can let the user know that wont fly.

RJH
Contributor

thanks jalcorn. When you say "smart group that encrypts any unencrypted drives", if I understand correctly the user would still need to enter their password to re-encrypt, so the user could just ignore the prompt ? Is that correct ?
In that scenario we (admins) would get notification and visiiblity it was still unencrypted, so we can then contact the customer, but was hoping for a way to effectively force the compliance.

jalcorn
Contributor II

@rhill no they can't ignore it. It forces it to happen.

RJH
Contributor

@jalcorn . when you say forces it to happen, can you elaborate ? I believe any re-encryption will still require the user to enter their current password.

thanks

jalcorn
Contributor II

@rhill Well they have to log on. But thats when it prompts them to encrypt the drive. If they click cancel they are put back at the log on screen. They wont be able to get in untill they say yes to encrypt.