Jamf Nation Community

betty02 · ‎03-29-2016

Here we usually image the machine with my base build stick them in a draw then when the user is ready we will profile for that user, log-in, month the drives they require, then send FV through casper remote, then restart, and login and we need to enable the user in the FileVault settings panel with there password.

Is this is best/worst way of doing it? How is your done? We find if we don't enable the user we don't get the choice on login for them to click there names, just our services account.

Thanks
Simon

AVmcclint · ‎03-29-2016

I do ours in a similar fashion:
- Image with the base build
- after imaging and it reboots, I let it install all the post-enrollment policies
- I reboot and then run jamf recon just to make sure all the EAs run and the Active Directory membership is accounted for
- I scope the computer for our 802.1x Config Profile that requires AD membership and make sure that and all the other Config Profiles get installed.
- I manually install McAfee ePO and make sure all the policies and definitions are pulled down for that.
- only after I've done all that do I use Casper Remote to push the FileVault2 configuration with our Institutional Key to the computer and reboot. I login as the admin user and then let it sit for an hour to complete encryption. Once it's completely encrypted, I reboot a couple times and login for good measure.
- I put the computer on a shelf to await being assigned to a user and then I get them logged in and enabled in FileVault.

Because of the interruption enabling FileVault can cause in the setup process, I always save it for last but before I put it aside to await deployment.

betty02 · ‎03-29-2016

Pretty much same as were doing here.

I was just wondering/hoping someone had a way that I could send out FV without needing to enable the user.

Just means if I am hungover and forget to FV for example then I can just send it across and not worry about many issues caused and not need to remote in to enable them etc etc!

Josh_Smith · ‎03-29-2016

We have a Self Service policy to start encryption. When a tech delivers the laptop they have them kick off the encryption policy, which forces a logout to trigger the password prompt. We don't have any performance issues while encrypting, so they can start using it after the reboot (SSD is our standard). It's a good way to introduce a new user to Self Service as well.

stevewood · ‎03-29-2016

@betty02 I used to deploy FV2 utilizing a Self Service policy that I would have the end user run after giving them their machine. I've switched to using a Configuration Profile utilizing a personal (individual) recovery key that is escrowed in the JSS. I'm slowly switching my fleet over to this, per the wonderful post by @kitzy: How I Deploy FileVault 2.

The total process of deploying a new machine looks like this:

Thin image a machine using DEP or Casper Imaging
Place machine on shelf until needed
When needed, re-name to end user's name and bind to AD
Have user login, install CrashPlan via SelfService, place machine in scope for FV Config Profile, and reboot.
User enters password, machine reboots and they are part of FV
Second policy that enables admin account on FV (via Kitzy's blog method)

At the end, machine is deployed to end user with FV enabled and it takes about 5 minutes, or less, to do so.

bwiessner · ‎03-29-2016

I like at @stevewood 's workflow - similar to what I am doing.

-Image and with bind to serial. -UserLogs in Self Service policy to rename computer to username
-SelfService Policy to enable fileVault - Personal Key -Configuration Profile - for FileVault Redirection (This is what stores the Key in the JSS - allowing you to look it up -under that device record)
-Once disk is encrypted - policy off of Individual key smartGroup - enables management account

Jamf Nation Community

How Have You Set Up FV?