Mandatory FileVault 2 setup?

Not sure if this is what you're asking, see attached Images

When Bill and I were looking through it, we did this a bit differently. The following was our method of checking whether a machine was encrypted. Wrong or ok?

I created this one below to check recovery key.

@dshepp33 Can you clarify what you mean by

My only question with the smart groups is whether I have the right criteria for checking FV2.

Are you looking for the criteria that is used to find what computers should be encrypted? @kitzy 's article provided screenshots of those criteria.

@SeanA I think I have the smart groups the way they should be. I have both what I posted and what he shows on the blog and both show the right computers at this point. I was not sure if one is more proper over the other.

I am more looking to figure out how to apply the configuration profile with the script bit that @kitzy mentions. Particularly where he says "This Configuration Profile is applied during enrollment. Also during enrollment, I run a short script to configure the Mac..." Is that script part of the configuration profile or a separate thing? It is this part that I am a bit lost on as it seems to be the only part that does not have accompanying screenshots.

Hoping to add some observations from our call a couple days ago. We couldn't test a final solution because of the network issues David mentioned.

David's goal is to effectively make the Mac unusable (or frustrating to use) until the end-user has started the FileVault encryption process. Kitzy's blog post suggests forcing the user to log out to kickstart the encryption process. The end-user simply has to click a button to start the process and enter his password. But the user can also click Cancel. If he cancels and logs in again, he'll be logged out at next check-in.

The Smart Group needs to identify devices that "have yet to be encrypted" (i.e. not encrypted, not decrypted, not in the middle of encrypting, etc.).

The problem with Kitzy's solution is he's killing the loginwindow. This doesn't force a logout (which we need to kickstart FileVault) but rather takes the user directly back to the login window.

David, after some testing, the following seems to work. It doesn't appear to be using Accessibility controls, which means it should work without any special configuration in System Preferences. Replace the killall command with this in Files & Processes in your policy:

osascript -e 'tell application "System Events" to keystroke "q" using {command down, shift down, option down}'

That should force a clean log out without a prompt to the user to allow canceling the logout.

Thanks Bill. I'll give that a shot shortly to see what happens. Will let you know.

We don't use a configuration profile, we just have a script that runs often against all unencrypted computers. If the current user is not our standard administrator account (or one of the common Apple accounts like _mbsetupuser), then we run a trigger policy that applies an "at next login" FV policy for the current user. The next time they log in they are forced to enable FileVault or else they get kicked out.

If I wanted to force this to happen ASAP I would just reboot the system afterwards so they have to log in again.

Why not send out a communication that this needs to be done by this date or set that expectation during the onboarding process. From there, if they don't complete setup a prompt policy every check-in that's tied to a smart group so when they start the encryption the pop ups stop.