Help

How can I push the filevault prompt on an already enrolled device?

Go to solution
landscaperose
New Contributor

Posted on ‎03-21-2024 12:37 PM

There is a user who has an unencrypted internal drive. His jamf profile should be requiring him to enable FileVault. However, we he restarts or logs out of his device, he is not prompted for FileVault to be enabled. He is already enrolled in jamf but the "Install Configuration Profile Disk Encryption" is stuck as pending. I've tried sending a blank push. 

Is there a way to push this policy so they are encrypted without having to unenroll and re-enroll their MacBook? They are on an Intel Mac.

Labels:
0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
jamf-42
Valued Contributor II
In response to landscaperose

Posted on ‎03-21-2024 01:10 PM

add the device to exclusions... then save and select 'Distribute to Newly Assigned Devices Only' 

check logs / device history

then remove from exclusions... and save again as above.. 

View solution in original post

0 Kudos
Reply
7 REPLIES 7

Go to solution
jamf-42
Valued Contributor II

‎03-21-2024 12:44 PM - edited ‎03-21-2024 12:46 PM

Config profile for FileVault should be set to login, not log out. This forces it to be set. If the profile is stuck, remove the devices from scope, save, then add back. Don't restart. Get the user to log out and then log back in.

0 Kudos
Reply

Go to solution
landscaperose
New Contributor

Posted on ‎03-21-2024 01:01 PM

The profile is set to be activated on login. How can I remove it form scope for just this one device, save, then add it back? Thank you very much for your help.

0 Kudos
Reply

Go to solution
jamf-42
Valued Contributor II
In response to landscaperose

Posted on ‎03-21-2024 01:10 PM

add the device to exclusions... then save and select 'Distribute to Newly Assigned Devices Only' 

check logs / device history

then remove from exclusions... and save again as above.. 

0 Kudos
Reply

Go to solution
easyedc
Valued Contributor II

‎03-22-2024 05:59 AM - edited ‎03-22-2024 05:59 AM

Another option if you're able to ask the user to manually do this action is to create a self service policy with a FileVault action.  As long as your FileVault settings are correct, it will redirect the key back to your JSS.

Preview file
168 KB
0 Kudos
Reply

Go to solution
easyedc
Valued Contributor II
In response to easyedc

Posted on ‎03-22-2024 06:05 AM

It goes without saying that you could make this an automatic action by giving it a normal trigger vs self service.

0 Kudos
Reply

Go to solution
AJPinto
Honored Contributor III

Posted on ‎03-22-2024 08:25 AM

Run fdesetup status on his device and see what state it is in. There is a chance its deferred waiting on another user (like your local admin account). I have an EA checking the FV state on devices, and if they are in an "errored" state it will swap configuration profiles to disable, and re-enable filevault which usually clears any "errored" states like deferred enrollment.

 

Also, with it being just one device, may be a good idea to just enable FileVault manually and move on.

Reply

Go to solution
landscaperose
New Contributor
In response to AJPinto

Posted on ‎03-25-2024 11:00 AM

If I manually enable FileVault, How can I get the escrow key back in Jamf?

0 Kudos
Reply