Looking into File Vault 2 with Yosemite; Any gotchas or concerns before we begin?

Valued Contributor

Hi Everyone,

Our security officer has asked me to look into enabling File Vault 2 for our Mac laptops starting this summer. Our college hasn't really incorporated any disk encryption on Windows or Macs, ever. So this is all new territory for us. As I begin reading on the subject, there appears to be a lot of people doing a lot of different things, which is normal.

How many of you are using FV2 and how was your implementation? Any roadblocks? Training issues? How about sticky points? Finally, how long did it take you to implement and did your user base have any issues?

As always, thank you in advance, your input is sincerely appreciated.



Valued Contributor II

We use FV2 on both Mountain Lion and Yosemite throughout our organization. One of the biggest things that you need to be sure to do in order to have a successful deployment is to make sure that your management account is enabled for FV2, as the JSS relies on that account being FV2 enabled to do things like automatically re-issue a recovery key to machines which either have "invalid" or "unkown" key statuses. You can have the JSS enable for only management user when you apply the FV2 config, we just haven't gone that route yet.

I would use the JSS built-in FV2 configuration tool set paired with either a push policy or a Self Service based policy to kick the config out. You can do the FV2 enablement via Config Profile, but JAMF has an open bug or two on that front, so we haven't gone that route either. There is a custom config profile out there which disables the users ability to go into Sys Pref - Security - FV and turn off FV which we are experimenting with...

One last thing - make smart groups based on FV2 statuses - we have a set of notification only (green, yellow, red caution style icons) policies which are featured in Self Service that display the current FV2 status to the user. FileVault is on, FileVault is off, FileVault is deferred, etc.

Release Candidate Programs Tester

Casper's management of FileVault 2 relies on the capabilities of Apple's fdesetup tool, so I recommend learning about the capabilities of fdesetup.

I have a post on Yosemite's fdesetup available from here: