High Sierra / File vault ??

New Contributor III

We have had a policy setup for the past two years that has worked with out fail on 10.13 this no longer works.

Has anyone had the same issue and found a fix?

Institutional key with management account.


New Contributor III

Yeah... apparently, APFS does not support Institutional Keys. At least there is no command for it. Personal should work though...

New Contributor II

That is correct the 10.13 diskutil verb apfs does not support the institutional key. Also I have now seen that mobile accounts are not able to enable filevault.

Valued Contributor II

With macOS 10.13.x, APFS and JSS 9.101.0, we've been able to enable AD mobile accounts with personal keys, but haven't been able to re-generate keys for AD mobile accounts.

Contributor II

Just trying to test this out now on a new JAMF Pro 10 instance. Followed the guides from JAMF

Managing Disk Encryption Configs

Deploying Disk Encryption Configs

Issue New Key

APFS Volume, AD User, 10.13.2 - Warning comes up that I need to enable FileVault, I click OK, It never actually turns on FileVault.

Any ideas?

Contributor II

So my issue ended up working after I enabled the user to have a secure token. I used the below script to accomplish this.


# Get the Username of the currently logged user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

# Management Account Name
management= yourjamfadmin
managementpassword= yourjamfadminpassword

# Prompt for User Password
UserPassword="$(osascript -e 'Tell application "System Events" to display dialog "Enter your password" default answer "" with hidden answer' -e 'text returned of result' 2>/dev/null)"

sysadminctl -adminUser "$management" -adminPassword "$managementpassword" -secureTokenOn "$loggedInUser" -password "$UserPassword"

After that my FileVault policy worked like a champ.

Contributor III


Thanks for this! Working great tossed into our workflow.


I have tested a better looking script, which seems to be 10.13.2 compatible (tested on 5 Macs 10.13.2 so far) , and does the same job, using the user's credentials. Going forward, Apple requires more tasks to be user approved (kext, MDM, filevault?), and not by the JamfAdmin account. It may work if you have upgraded from 10.12, and fail with new enrolled 10.13 devices.

So therefor I went for the script of Ellliot: https://github.com/homebysix/jss-filevault-reissue which is well documented how to use.

There are a few things not working yet with my smart groups, the status of "FileVault 2 Individual Key Validation - is not - Valid" is not always correct; for some there is a filevauilt recovery key, but the status is still 'unknown'

We have made this available in self service, and ask users with 'is not - Valid' status to run the policy.

Using jamf 10.0.0 and 10.1.1

Hi! I've got a quick update that may be of interest to you regarding my jss-filevault-reissue script.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.