Running JSS 9.97.1488392992.
We have begun seeing an issue appearing on what appears to only be the new mid-2017 iMacs (iMac18,2) arriving lately (so far). After FileVault is turned on per our configuration profile, we attempt to add users other than the account that enabled FileVault. The users appear to be succesfully added, they are showing as a FV2 user in the JSS, they appear when you invoke fdesetup list. However they do not appear when the device is restarted on the FileVault preboot screen. In short, only the user that turned on FV2 is visible on the login screen.
Thus far we have attempted to remove them manually and re-add them, but this does not work. Creating new users from System Preferences or scripts and then adding them to FV2 shows the same behavior.
When the device is not enrolled in jamf, FileVault 2 appears to function correctly. So far this has been tested with 10.12.5 and 10.12.6 for these iMacs. We confirmed other hardware does not show the same problems when we follow our typical on-boarding workflow.
Further update. Jamf has been largely ineffective and diagnosing the issue and seems to be relying on our organization to do it for them.
Following testing, it appears JRE 8 131 is the cause of the problem. We have Apple engineers looking into the issue. It only occurs when jamf is managing the device, encryption is enabled, and JRE 8 131 is installed. Upgrading from 131 to 141 does not solve the issue. The device needs to be reimaged and then re-enrolled. If 141 is installed the issue does not appear.
Yeah this has been a fun a fun one. I'll keep updating this post if/when I hear back from jamf or Apple on any progress with nailing this down. We also purchased this model for our group specifically to test if it returns. It may be "fixed" in 141, but my fear is if installing the JRE can break FileVault once it can do it again.