Help

FileVault2 Policy Jamf Pro

Go to solution
brizkallah
New Contributor II

Posted on ‎01-20-2023 01:48 AM

good day, i have created a new policy under JAMF which it activates the filevault disk encyption which works fine. when i go and uncheck ENABLE under the policy OR remove the unit from the SCOPE, when i restart the designated unit it keeps showing the POP-UP message on login that Administrator is requesting to Enable the filevault, noting that if i press ENABLE button and then i go to system pref, the filevault is not enabled. 

so to brief how to get rid of the pop-up message after disabling the Policy OR at least removing the unit from the Policy scope.

 

thank you in advance

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎01-20-2023 07:47 AM

Sounds like a deferred enablement might be stuck on the device. You can use the fdesetup binary to determine if that is the case. Check this article from Rich.

View solution in original post

9 REPLIES 9

Go to solution
Jason33
Contributor III

Posted on ‎01-20-2023 02:30 AM

Do you also have a config profile with a FileVault payload?

Go to solution
brizkallah
New Contributor II
In response to Jason33

Posted on ‎01-20-2023 02:34 AM

i have created a config profile with user adjustment of filevault to prevent from being disabled by end user. 

0 Kudos

Go to solution
Jason33
Contributor III
In response to brizkallah

Posted on ‎01-20-2023 03:55 AM

May or may not be related, but try unscoping the machine in question from the config profile and see if that clears it

Go to solution
brizkallah
New Contributor II
In response to Jason33

Posted on ‎01-20-2023 04:07 AM

i have also did that. i also deleted the conf. policy and the policy but still when i restart the machine , the msg keeps popping up.

0 Kudos

Go to solution
AJPinto
Honored Contributor II

Posted on ‎01-20-2023 05:26 AM

Don't use a policy to enable FileVault, using policies to do this is technical debt that JAMF needs to remove. Use a configuration profile to enable FileVault. 

Go to solution
brizkallah
New Contributor II
In response to AJPinto

Posted on ‎01-20-2023 05:30 AM

ok, as per JAMF documentations they mention doing a mix of both. if you can share how to do it with only config profile please share more details

0 Kudos

Go to solution
AJPinto
Honored Contributor II
In response to brizkallah

Posted on ‎01-20-2023 06:21 AM

Ya, JAMF is absolutely horrible for technical debt. I suppose its from how many organizations refuse to upgrade old Macs that Apple no longer patches. With Catalina Apple made massive changes to FileVault. You can still turn FileVault on with FDESetup (for now), but the "correct" way to enable FileVault is to use a configuration profile. It all works fairly well thankfully, unlike software updates... ... ...

Its best to follow Apples Documentation, then defer to JAMFs documentation on how to do a thing Apples way. Doing something JAMFs way, just like with any other vendor, your milage and success on macOS will very.

Manage FileVault with mobile device management - Apple Support

 

fdesetup command-line tool

MDM configurations or the fdesetup command-line tool can be used to configure FileVault. In macOS 10.15 or later, using fdesetup to turn on FileVault by providing the user name and password is deprecated and won’t be recognized in a future release. The command continues to function but remains deprecated in macOS 11 and macOS 12.0.1. Consider using deferred enablement using MDM instead. For more information about the fdesetup command-line tool, launch the Terminal app and enter man fdesetup or fdesetup help.


 

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎01-20-2023 07:47 AM

Sounds like a deferred enablement might be stuck on the device. You can use the fdesetup binary to determine if that is the case. Check this article from Rich.

Go to solution
brizkallah
New Contributor II

Posted on ‎01-23-2023 12:41 AM

hello stevewood, removing the plist file did solve the issue, recreated the scenario and it works fine, now i will try to put down a script for it so when i need to disable the policy on JAMF i can run the script to be able to remotely remove the plist file from the client machine.

thank you for the support

0 Kudos