FileVault - User not prompted to encrypt

VL
New Contributor III

I'm trying to configure Jamf Pro to enforce the company requirement that devices are encrypted. Created a Configuration Profile that has Security and Privacy > FileValut > Enable FileVault enabled, but have also set Event to prompt FileVault enablement > At Login and Allow user to bypass FileVault prompts at login > Require after 3 attempts. However, when testing the Configuration Profile against my MacBook - which has FileVault turned off - I am not being prompted to enable FileVault.

I have repeatedly logged out/in, shutdown/started my laptop but at no time have I been prompted to enable FileVault. While my user account is a Standard user, I have tried logging in as the Admin user but still don't get prompted to enable FileVault.

What am I missing?

7 REPLIES 7

Tribruin
Valued Contributor II

Does your user have a Secure Token? Only a user with a secure token can enable FileVault. 

run this command in terminal to see if your user has a Secure Token:
sysadminctl -secureTokenStatus <<username>>

If you user does not have a secure token, you will need a user with a Secure Token to grant your user a secure token. 

VL
New Contributor III

Thanks for the response, @Tribruin, and having running the command for both my Standard user and the Admin user it reports for both that Secure Token is ENABLED.

Tribruin
Valued Contributor II

What are the results of these two commands:

fdesetup status

sudo fdesetup list

 

AJPinto
Honored Contributor III

What do you get when you run "fdesetup status"?

 

 

VL
New Contributor III

Sorry for the delay in following up your messages @Tribruin and @AJPinto.

Regarding running fdesetup status as both my Standard user account and the local Admin account, both report FileVault is Off.

As for sudo fdesetup list:

glennc,785E02A2-6698-4BFC-A506-C6BF02B14585

admin,AABDB9D3-9953-4A62-B8FE-5D3C060002B2

 

AJPinto
Honored Contributor III

According to the terminal output, FileVault is on. Users wont have FileVault tokens if FileVault is disabled. Assuming admin and glennc are your accounts, they should have FileVault tokens. 

 

Just a suggestion. User a different account name then admin for your local admin account, that name is really easy to guess.

VL
New Contributor III

@AJPinto don't know what "terminal output" you are referring to, but I'm not seeing anything that would indicate FileVault is ON.

System Settings > Privacy & Security > FileVault states OFF and if I select the option I have the option to Turn On...

Jamf Pro > Computers > Search Inventory > Select my laptop > Inventory > Disk Encryption states Not Encrypted.

Thanks for the comment regarding the admin username.