FV2 Recovery Key Upload

You could create a self service item that simply runs a recon. After it's rebooted and encrypting, just manually run that. It can be useful for other reasons to have this available to users.

Yeah, unfortunately with our culture here, it's expected that users don't have to do anything and it all just happens automatically for them.

Empowerment without any responsibility is a dangerous thing. :-)

The only thing I can think of is a scheduled task that checks for the FV2 plist that is created after encryption which forces a recon and self-deletes when it's done. I can't simply tie it to run once after the FV2 policy executes since users can defer entering their password indefinitely.

Since this would be a one time thing, you could also install a script and launchdaemon as part of the encryption policy. The launchdaemon would trigger the script on first boot. The script would run a recon and then delete itself and the launchdaemon:

#!/bin/sh

# Run inventory with jamf binary

jamf recon

# Remove setup LaunchDaemon item

srm /Library/LaunchDaemons/com.company.fv2_recon.plist

# Make script self-destruct

srm $0

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.company.fv2_recon</string>
    <key>ProgramArguments</key>
    <array>
        <string>/path/to/fv2_recon.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

You could set up differing recon policies based on the status of FV2...

I'd set up an extension attribute based around the existence of the FV2, a smart group or two around that extension attribute. Recon policies could be every 15 until the FV2 plist exists, and then weekly if they are encrypted.