Locking Down the "Turn FileVault Off" Button

I normally just block the security preference pane. Are you delivering this setting as a configuration profile?

That was about as close as we got as well, found several different ways on google, none of them successful.
If anyone does work out how to do just this, post it for the rest of us :)

Most of the efforts I've seen in a few of the posts usually block the entire security pref pane, but the above xml script was the closest I found to disable just the button without locking down the entire security pref pane. In response to your question David, no I'm not executing the setting as a config profile due to the CA needed to create profile settings...that's forthcoming.
Right now I'm experimenting with just the isolation of the filevault button, while leaving the security pref pane open in order to reach the tabs underneath (i.e., privacy, general). There must be a way to uncover the properties of the button in order to control it's binary attribute and disable it.

I did run across another pretty good post noted under this link which talks about locking down the security pref pane: Disabling Sys Pref Panes

The breakdown of how to get to the individual system prefs was pretty interesting. Within the link above the following argument was mentioned: ./set_panes.sh --disable com.apple.preferences.bluetooth
I was wondering if anyone has taken time to execute this in testing also.

I install a profile like this: I do not think I have tried to push it out from the JSS, I forget who to credit with this but pretty sure it came from the JAMFNation

Filename LockFileVault.mobileconfig

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>DestroyFVKeyOnStandby</key> <false/> <key>PayloadDisplayName</key> <string>Security &amp; Privacy</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.apple.mdm.yourcompany.lockfilevault</string> <key>PayloadType</key> <string>com.apple.MCX</string> <key>PayloadUUID</key> <string>9957f948-7ac4-0c96-4c8e-28884ad430ec</string> <key>PayloadVersion</key> <integer>1</integer> <key>dontAllowFDEDisable</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Can't Disable FileVault 2</string> <key>PayloadIdentifier</key> <string>com.apple.mdm.yourcompany.lockfilevault</string> <key>PayloadOrganization</key> <string/> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>0dc319a0-c331-0131-eeb5-000c294ab81b</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

@msample Looks like something I posted on here a while back. It's not iffy, it's the only way to do is on the Macs because of a bug in Casper that doesn't grey it out, even if you have it set in the policy. I like to push my policies out with Casper and that was the only way I could get it to actually work.

Annoyingly it now seems when you display something on JAMF Nation as a script it copies and pastes without line breaks... But normal comments copy and paste as you would expect!

I think that profile came from @gregneagle posting here. It's also on his blog:

https://managingosx.wordpress.com/2014/05/21/preventing-users-from-disabling-filevault-2/

Yep, I used the one from Greg and it worked : )

C

@nessts ...Thanks nessts, I'll test out the script on my Dev server.