Hi All,
Ongoing reader, first time poster.
Relatively new environment. - large corp - strict compliance rules - small number of Macs enrolled thus far, but Mac environment growing rapidly.
Macs running Sierra 10.12.6 predominantly.
JAMF 10.1 on premise, Win2016 server.
I am experiencing an issue with the Filevault functionality on the Macs, and in particular the requirement to enforce Disk encryption. All settings/policies/profiles have been setup and applied to enforce disk encryption using individual recovery key type.
This works well, Macs that dont have Filevault enabled prior to enrol and for Macs with drives already encrypted. For the latter this is addressed via a script deployed via policy which then regenerates the recovery key. In both instances the recovery key gets escrowed to JSS successfully.
--> The issue is that if a user (with admin access) deliberately bypasses the above policies, and decrypts their disk. This cannot be done in sys prefs as its greyed out, but can an be achieved with few commands run in terminal.
There are commands/scripts that can be run to re-encrypt the disk but these require user-input, which, if the user has turned off encryption deliberately, they could just ignore/cancel the script. I need a way to re-enable by stealth and within a relatively short time, to ensure compliance.
Note: the policies and profiles for initial enrollment described above were implemented in conjunction with the JAMF engineer onsite during the JumpStart engagement and as stated work well, as long as a user does not then disable.
thanks all..
