Macs with T2 chip reporting as "FileVault Enabled" out of box.

blinvisible
Contributor

Our FileVault 2 encryption policy is scoped to devices that are not already encrypted, however it seems that the new MacBook Pros (and possibly iMac Pros, but we don't have any to test) are being seen by Jamf as already encrypted, even when FileVault is off. I suspect this is because the disk is, technically, already encrypted by the T2 chip hardware. While this would prevent the drive from being accessed if removed from the computer, without FileVault also enabled it doesn't prevent the disk from being unlocked without a password while still inside the machine. Apple certainly recommends enabling FileVault, even on T2-capable Macs:

https://support.apple.com/en-us/HT208344

Anyone else have a workaround for this, to get T2-equipped Macs with FileVault disabled to be seen by Jamf as unencrypted?

9 REPLIES 9

blinvisible
Contributor

For what it's worth, I've created this Extension Attribute to determine if an iBridge is present. From there, a Smart Group could be created, against which a more aggressive FileVault policy could be scoped:

#!/bin/bash

IBRIDGE="$(/usr/sbin/system_profiler SPiBridgeDataType | /usr/bin/grep 'Model Name')"

if [[ "${IBRIDGE}" == "" ]] ; 
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${IBRIDGE}</result>"
fi

exit 0

Script will return "None" for Macs with no iBridge, "Model Name: Apple T1 chip" for Macs with a T1 chip (such as the 2016/2017 MacBook Pro with TouchID), or "Model Name: Apple T2 chip" for Macs with a T2 chip (such as the 2018 MacBook Pro). EDIT: see @brunerd's post below, return values may be different depending on language localization and OS version.

blinvisible
Contributor

(edit: removed duplicate post)

UESCDurandal
Contributor II

We're also adapting to this change.

Thanks for the EA! It's a good start, but ideally Jamf will use a different mechanism when detecting "FileVault 2 Partition Encryption State", given that this title is no longer accurate for T2 Macs.

blinvisible
Contributor

I think they are aware of the issue, my Jamf rep asked for more details in reference to PI-006109.

UESCDurandal
Contributor II

I was able to find @rtrouton 's Extension Attribute that detects APFS Encryption Status. This appears to be a decent value to base our policies on for T2 equipped Macs.

brunerd
Contributor

An observation about the SPiBridgeDataType in system profiler: it will localize the word "chip"
So don't get too specific in your Smart Group criteria, like "T2" will suffice.

Also sorta interesting is that 2016 MacBook Pros with Touch ID will report "iBridge" in 10.12 but "Apple T1 chip" in 10.13... I guess they realized they needed snappier branding that ditched the "i" going forward.

As for the EA, it works well enough for now for me, to say if they have a "T2" yet the Filevault Key Validation is "Unknown" then they are not encrypted. I really didn't want to add another EA for encryption status, I'm hoping it can just be a part of JSS 10.6.1 🙏

blinvisible
Contributor

Thanks @brunerd, good to know about localization and the different values returned by Sierra vs. High Sierra. I agree that having the Smart Group to do a "like" match for just the "T2" substring makes sense. Using "Filevault Key Validation" is a neat trick, for my environment we already had another EA that returns the value of fdesetup status so I just looked for a match of "FileVault is Off" to get my list of unencrypted devices.

cwaldrip
Valued Contributor

@brunerd you're just checking that they don't have a filevault key (personal or institutional) AND have a T2 (iBridge)? Right?

brunerd
Contributor

I had a whole post about how I'd gotten a new T2 laptop to test with, then it turns out the tech who gave it to me, gave me a "Brand New" MacbookPro 2017 (fresh outta the cellophane from CDW) and I wasn't seeing that it was showing as encrypted out of the box... but then yeah it was a macbookpro14,2 not a macbookpro15,2 or 1 – DOH!

@cwaldrip Right - I have a Smart Group matching if they have a T2 and their Encryption Key (we only use Personal) is Unknown