Filevault2 'turn off file vault' stays GREYED out ??

tcandela
Valued Contributor II

when Filevault2 is turned ON via configuration profile (logout enables user to enter password to enable them) does the Casper system prevent users from 'turning OFF file vault' from the 'security and privacy' section even if the person is an administrator ?

I can turn it off via 'disk utility' but from the 'security and privacy' section, turning off file vault stays greyed out no matter that I unlock the padlock. Is this being done by Casper ?

1 ACCEPTED SOLUTION

matt_jamison
Contributor

Using the FileVault settings via the Config Profile locks out all users from being able to turn off FileVault from the GUI.

Obviously this can be bypassed with disk utility but once it's off and you reboot, the Config Profile should make you turn it back on.

View solution in original post

2 REPLIES 2

matt_jamison
Contributor

Using the FileVault settings via the Config Profile locks out all users from being able to turn off FileVault from the GUI.

Obviously this can be bypassed with disk utility but once it's off and you reboot, the Config Profile should make you turn it back on.

tcandela
Valued Contributor II

thanks @matt.jamison - just wanted to verify that what you mentioned is what I was also thinking was happening.

I am going to test turning it off FV2 via disk utility and rebooting to see what happens, along with what happens with recovery key.

currently my config profile gets installed, then when current user logs out they are prompted to enter their password to enable them for FV2, computer then reboots (stores key in JSS). This user can press 'cancel' instead of entering their password, but if a different user then logs out they do not get prompted, only they original person that logged out earlier continues to get prompted until they enter their password.

I found out how to bypass this by just having JSS re distribute to all again, and any computer that a user pressed 'cancel' then the current user that logs out will be prompted again. All other computers that already were encrypted will not be affected.

so if user1 canceled and user2 logs out, user2 will not see 'fv2' logout prompt only user1 will until they enter their password. If i have the config re-distribute to all, then if user1 or user2 is currently logged in and then logs out that user will be prompted for password to enable their account for FV2