Help

Going to deploy FileVault 2--what to do about users who have already done it themselves?

stevehahn
Contributor

Posted on ‎05-27-2014 10:19 PM

I have a bunch of users who have turned on FileVault 2 on their Macs, and therefore my JSS does not have their encryption key stored. I am making plans to deploy FileVault 2 enterprise-wide with individual keys stored in the JSS. As far as I know, there's no way that I can snoop the already-enabled Macs and import their encryption keys; do I have to get the users to turn off encryption so that I can then re-enable it through Casper?

0 Kudos
Reply
2 REPLIES 2

mm2270
Legendary Contributor III

Posted on ‎05-27-2014 10:20 PM

In a word, "yes"

0 Kudos
Reply

wyip
Contributor

Posted on ‎05-27-2014 11:46 PM

What version of OS X are they on and what version is your JSS?

If they're on Mavericks, and you're on v9 you can create a policy to generate a new individual key for their computers and store it in the JSS. You can also push out an institutional key (you can do either one, or both if you want).

The only thing is it requires that the Management Account to be enabled in FileVault 2. I don't know about your environment, but this was not the case in ours. In our case, we did have a local admin account on all of our Macs that was enabled in FV2. I had to setup another policy that would install a QuickAdd which had our local admin account set as the Management Account. After the QuickAdd ran, we were able to run the FileVault 2 policy to replace the recovery keys. I hope this makes sense.

In my testing, I found that this worked even when you upgrade a 10.7 or 10.8 FV2 encrypted system to 10.9. Of course, you should test and test again in your own environment.

0 Kudos
Reply