Filevault Workflow


Hello folks.

Sorry for dredging up Filevault processes again, but I'm sort of in a muddle. Our situation/requirements are currently thus (for intel and M1 Macbooks):

  • The Macbooks are bound to AD
  • Once domain-joined, the Macbook owner will have a non-admin mobile account created on first login
  • Filevault to be enabled
  • We need a local administrator user present (Filevault enabled) on the machine for the purposes of our support team

At present we create a hidden local admin account during prestage enrollment and this works fine, but the account then doesn't have a Secure Token for Filevault.

I'm assuming there must be a better workflow than the following:

  • Ask the user to log in before we hand them the device
  • Promote their account to admin status by hand
  • Apply Filevault manually via the system preferences
  • Run a script to pass the Secure Token back to our admin account
  • Demote their mobile account back to standard
  • Have a Jamf policy escrow the keys back

How do folks accomplish this in similar circumstances?

Any pointers useful! I think I've pickled my brain looking through all the threads.


Valued Contributor II

You are doing our exact workflow. I've tried playing with a few different configurations and I end up coming back to something similar to above (the only difference is we have tried creating the first account as an admin and demoting them later on, saving a step).

Discussing with Apple support it seems as if this is work flow is working as intended.


Ah ok, cheers for replying. If that's the way it has to work then so be it, good to know I'm not going crazy anyway!

I'd just assumed there would be a much more streamlined approach than this for folks that need an admin account on there with the token.


enable boostraptoken during build and local admin will get a securetoken. refer to my post here