HELP! Policy Question

m_higgins
Contributor

Following an upgrade to our JSS, a Filevault policy was pushed down to a bunch of machines that shouldn't have it. Now, after every log out or restart they are asking for a password to enable filevault. I have removed them from the policy but they are still trying to enable filevault. Is there any way to remove the policy from the machines and stop this from happening?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Yes, target the machines with another policy that runs:

fdesetup disable

While you might think that command would only turn off FileVault if it's already on, it actually works to remove the deferred enablement process as well. Try it on one of the Macs that's trying to enable FileVault (use sudo when running directly in Terminal) and then log out.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

Yes, target the machines with another policy that runs:

fdesetup disable

While you might think that command would only turn off FileVault if it's already on, it actually works to remove the deferred enablement process as well. Try it on one of the Macs that's trying to enable FileVault (use sudo when running directly in Terminal) and then log out.

thoule
Valued Contributor II

A bird once told me that setting is saved in /Library/Preferences/com.apple.fdesetup.plist and if you trash that file, those machines won't prompt to enable filevault anymore.

adamcodega
Valued Contributor

What @mm2270 said will help, dealt with this same issue myself.

alexjdale
Valued Contributor III

One note on "fdesetup disable" is that it doesn't appear to do anything when you run it to remove a deferred enablement ("fdesetup status" will still show it as enabled), but after you restart it will be truly disabled.

mm2270
Legendary Contributor III

Yeah, the output in the Terminal when you run the fdesetup disable command is confusing, as it in fact says that "FileVault is not on" when its in the deferred enablement state, which would indicate it didn't work to effect any change on the Mac, but in fact it does.

The fdesetup man page also has this section in it:

Note that if the designated user doesn't complete the setup at logout, FileVault will not be enabled, and the configuration will remain and be used again for the designated user's next logout, thereby 'nagging' the user to enable FileVault. To remove an active deferred enablement config- uration, you can use the disable command, even if FileVault is not cur- rently enabled.

m_higgins
Contributor

I cannot thank you enough @mm2270