Hello folks.
Sorry for dredging up Filevault processes again, but I'm sort of in a muddle. Our situation/requirements are currently thus (for intel and M1 Macbooks):
- The Macbooks are bound to AD
- Once domain-joined, the Macbook owner will have a non-admin mobile account created on first login
- Filevault to be enabled
- We need a local administrator user present (Filevault enabled) on the machine for the purposes of our support team
At present we create a hidden local admin account during prestage enrollment and this works fine, but the account then doesn't have a Secure Token for Filevault.
I'm assuming there must be a better workflow than the following:
- Ask the user to log in before we hand them the device
- Promote their account to admin status by hand
- Apply Filevault manually via the system preferences
- Run a script to pass the Secure Token back to our admin account
- Demote their mobile account back to standard
- Have a Jamf policy escrow the keys back
How do folks accomplish this in similar circumstances?
Any pointers useful! I think I've pickled my brain looking through all the threads.
