Skip to main content
Solved

HELP! Policy Question

  • November 2, 2015
  • 6 replies
  • 21 views
M
Forum|alt.badge.img+8

Following an upgrade to our JSS, a Filevault policy was pushed down to a bunch of machines that shouldn't have it. Now, after every log out or restart they are asking for a password to enable filevault. I have removed them from the policy but they are still trying to enable filevault. Is there any way to remove the policy from the machines and stop this from happening?

Best answer by mm2270

Yes, target the machines with another policy that runs:

fdesetup disable

While you might think that command would only turn off FileVault if it's already on, it actually works to remove the deferred enablement process as well. Try it on one of the Macs that's trying to enable FileVault (use sudo when running directly in Terminal) and then log out.

    6 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • Answer
    • November 2, 2015

    Yes, target the machines with another policy that runs:

    fdesetup disable

    While you might think that command would only turn off FileVault if it's already on, it actually works to remove the deferred enablement process as well. Try it on one of the Macs that's trying to enable FileVault (use sudo when running directly in Terminal) and then log out.

      T
      Forum|alt.badge.img+15
      • thoule
      • Contributor
      • November 2, 2015

      A bird once told me that setting is saved in /Library/Preferences/com.apple.fdesetup.plist and if you trash that file, those machines won't prompt to enable filevault anymore.

      acodega
      Forum|alt.badge.img+15
      • acodega
      • Valued Contributor
      • November 2, 2015

      What @mm2270 said will help, dealt with this same issue myself.

      A
      Forum|alt.badge.img+18
      • alexjdale
      • Contributor
      • November 2, 2015

      One note on "fdesetup disable" is that it doesn't appear to do anything when you run it to remove a deferred enablement ("fdesetup status" will still show it as enabled), but after you restart it will be truly disabled.

      mm2270
      Forum|alt.badge.img+24
      • mm2270
      • Legendary Contributor
      • November 2, 2015

      Yeah, the output in the Terminal when you run the fdesetup disable command is confusing, as it in fact says that "FileVault is not on" when its in the deferred enablement state, which would indicate it didn't work to effect any change on the Mac, but in fact it does.

      The fdesetup man page also has this section in it:

      Note that if the designated user doesn't complete the setup at logout, FileVault will not be enabled, and the configuration will remain and be used again for the designated user's next logout, thereby 'nagging' the user to enable FileVault. To remove an active deferred enablement config- uration, you can use the disable command, even if FileVault is not cur- rently enabled.
        M
        Forum|alt.badge.img+8
        • m_higgins
        • Author
        • Contributor
        • November 3, 2015

        I cannot thank you enough @mm2270

        Terms & ConditionsCookie settingsAccessibility statement