Force or prompt user logout to enable FileVault2 via script?

New Contributor II

Hi All,


I'm struggling to find the best way to go about forcing or lightly pushing an end user to completely log out and back into their Mac to enable FileVault2. I have a FV2 config profile set to enable at user login, but can't seem to find any scripts to prompt and/or force the end-user to log out and back in. I can easily create a Jamf Helper notification asking the user to log out, but our user base never cooperates with IT.

This thread was suggested but a few other folks, but I think the scripts listed are out of date/no longer work.

Anyone have suggestions or tips for getting past this?


Valued Contributor II

If you set the profile "Event to prompt FileVault enablement" to "on log in" and "Allow users to bypass FileVault prompts at login" to Required next login. This will force you user to enable on next log in, if they don't then the can't use the machine it just loops back to the enableFileVault pop up... I have found in my testing that even if you get the user to log out they can bypass the FileVault enable prompts. I haven't tested since Big Sur. : ) and it's not really what you are asking for however IMO it's the only way to force/require/ensure that the machines are encrypted  : ) 

Thanks for sharing this. I do have our profile set up this way, and will go into a login window loop if the user cancels the encryption prompt.

Valued Contributor II

We have our reboot policy set up to run 1st on enrollment with a Jamf helper script, because it's 1st on enrollment the reboot isn't painful. : ) 

I think you will have to use a policy with  "MDM Restart with Kernel Cache Rebuild" option and then under User Interaction you can give the user a defer option that works best for them ...

With the newer machines the MDM Restart is the only option as far as I know  : ) 


New Contributor III

Hah, I'm curious about this one myself. At this point, I'm close to going door to door.