Help

HELP! Policy Question

Go to solution
m_higgins
Contributor

Posted on ‎11-02-2015 06:24 AM

Following an upgrade to our JSS, a Filevault policy was pushed down to a bunch of machines that shouldn't have it. Now, after every log out or restart they are asking for a password to enable filevault. I have removed them from the policy but they are still trying to enable filevault. Is there any way to remove the policy from the machines and stop this from happening?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎11-02-2015 06:51 AM

Yes, target the machines with another policy that runs:

fdesetup disable

While you might think that command would only turn off FileVault if it's already on, it actually works to remove the deferred enablement process as well. Try it on one of the Macs that's trying to enable FileVault (use sudo when running directly in Terminal) and then log out.

View solution in original post

6 REPLIES 6

Go to solution
mm2270
Legendary Contributor III

Posted on ‎11-02-2015 06:51 AM

Yes, target the machines with another policy that runs:

fdesetup disable

While you might think that command would only turn off FileVault if it's already on, it actually works to remove the deferred enablement process as well. Try it on one of the Macs that's trying to enable FileVault (use sudo when running directly in Terminal) and then log out.

Go to solution
thoule
Valued Contributor II

Posted on ‎11-02-2015 07:05 AM

A bird once told me that setting is saved in /Library/Preferences/com.apple.fdesetup.plist and if you trash that file, those machines won't prompt to enable filevault anymore.

0 Kudos

Go to solution
adamcodega
Valued Contributor

Posted on ‎11-02-2015 10:00 AM

What @mm2270 said will help, dealt with this same issue myself.

0 Kudos

Go to solution
alexjdale
Valued Contributor III

Posted on ‎11-02-2015 10:13 AM

One note on "fdesetup disable" is that it doesn't appear to do anything when you run it to remove a deferred enablement ("fdesetup status" will still show it as enabled), but after you restart it will be truly disabled.

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎11-02-2015 10:44 AM

Yeah, the output in the Terminal when you run the fdesetup disable command is confusing, as it in fact says that "FileVault is not on" when its in the deferred enablement state, which would indicate it didn't work to effect any change on the Mac, but in fact it does.

The fdesetup man page also has this section in it:

Note that if the designated user doesn't complete the setup at logout, FileVault will not be enabled, and the configuration will remain and be used again for the designated user's next logout, thereby 'nagging' the user to enable FileVault. To remove an active deferred enablement config- uration, you can use the disable command, even if FileVault is not cur- rently enabled.

Go to solution
m_higgins
Contributor

Posted on ‎11-03-2015 01:48 AM

I cannot thank you enough @mm2270

0 Kudos