Posted on 01-20-2023 01:48 AM
good day, i have created a new policy under JAMF which it activates the filevault disk encyption which works fine. when i go and uncheck ENABLE under the policy OR remove the unit from the SCOPE, when i restart the designated unit it keeps showing the POP-UP message on login that Administrator is requesting to Enable the filevault, noting that if i press ENABLE button and then i go to system pref, the filevault is not enabled.
so to brief how to get rid of the pop-up message after disabling the Policy OR at least removing the unit from the Policy scope.
thank you in advance
Solved! Go to Solution.
Posted on 01-20-2023 07:47 AM
Sounds like a deferred enablement might be stuck on the device. You can use the fdesetup binary to determine if that is the case. Check this article from Rich.
Posted on 01-20-2023 02:30 AM
Do you also have a config profile with a FileVault payload?
Posted on 01-20-2023 02:34 AM
i have created a config profile with user adjustment of filevault to prevent from being disabled by end user.
Posted on 01-20-2023 03:55 AM
May or may not be related, but try unscoping the machine in question from the config profile and see if that clears it
Posted on 01-20-2023 04:07 AM
i have also did that. i also deleted the conf. policy and the policy but still when i restart the machine , the msg keeps popping up.
Posted on 01-20-2023 05:26 AM
Don't use a policy to enable FileVault, using policies to do this is technical debt that JAMF needs to remove. Use a configuration profile to enable FileVault.
Posted on 01-20-2023 05:30 AM
ok, as per JAMF documentations they mention doing a mix of both. if you can share how to do it with only config profile please share more details
Posted on 01-20-2023 06:21 AM
Ya, JAMF is absolutely horrible for technical debt. I suppose its from how many organizations refuse to upgrade old Macs that Apple no longer patches. With Catalina Apple made massive changes to FileVault. You can still turn FileVault on with FDESetup (for now), but the "correct" way to enable FileVault is to use a configuration profile. It all works fairly well thankfully, unlike software updates... ... ...
Its best to follow Apples Documentation, then defer to JAMFs documentation on how to do a thing Apples way. Doing something JAMFs way, just like with any other vendor, your milage and success on macOS will very.
Manage FileVault with mobile device management - Apple Support
fdesetup command-line tool
MDM configurations or the fdesetup command-line tool can be used to configure FileVault. In macOS 10.15 or later, using fdesetup to turn on FileVault by providing the user name and password is deprecated and won’t be recognized in a future release. The command continues to function but remains deprecated in macOS 11 and macOS 12.0.1. Consider using deferred enablement using MDM instead. For more information about the fdesetup command-line tool, launch the Terminal app and enter man fdesetup or fdesetup help.
Posted on 01-20-2023 07:47 AM
Sounds like a deferred enablement might be stuck on the device. You can use the fdesetup binary to determine if that is the case. Check this article from Rich.
Posted on 01-23-2023 12:41 AM
hello stevewood, removing the plist file did solve the issue, recreated the scenario and it works fine, now i will try to put down a script for it so when i need to disable the policy on JAMF i can run the script to be able to remotely remove the plist file from the client machine.
thank you for the support