Posted on 09-20-2017 06:54 AM
I am doing a FileVault 2 push to a lot of Macs in my company. The policy has been pushed out a couple of months, but now management wants them enabled. I have worked with a lot of users that have been needing the policy flushed in order to see it in self service again. My big problem now is Macs are saying deferred enablement in terminal. Even after a reboot. After this reboot the account used to enable FileVault would log in and get kicked out. The only way to get that account to log in was to sudo fdesetup disable (even though FileVault was said to be off) After a few rounds of this and an upgrade to 10.11 from 10.10 I decided to sudo fdesetup enable for that that account. After the encryption happened a recovery key was never sent to Casper. Can someone tell me where I went wrong and why enabling in self service would error our upon reboot?
Posted on 09-20-2017 07:50 AM
@TechInMidwest you might want to deploy a configuration profile that will redirect the key to the JSS. That should force the key to be escrowed to the server no matter what way you use to enable FileVault. Here is what my profile looks like for 10.12 and earlier.
The profile is different for 10.13.