Mandatory FileVault 2 setup?

New Contributor III

I am trying to follow along on John Kitzmiller's blog about making file vault 2 mandatory. I want to ensure the things he details in this blog post. The main thing I want to accomplish here is that a user cannot defer FileVault 2 configuration since they may be like me and not reboot until a required reboot due to an update.

I am running into some questions that I have not been able to answer for myself. And go figure, my firewall team entered a block on APNs a couple days before I had @talkingmoose on the phone. Had no idea until we hit that issue.

John K talks about applying a config profile during enrollment and running a script containing: kill -9 pgrep loginwindow. I am not sure where to put that. He also mentions during enrollment. While most of my Mac's will be DEP and pre-staged, I have some that will not be able to do that since they are not in DEP. My test machine is one such animal, VM's as well, but anyhow.

I have created what I think are all the right smart groups. My only question with the smart groups is whether I have the right criteria for checking FV2.

Has anyone followed this procedure have any advice? I am sure I can plow through it but if someone has any bits of info, that would be great.




Not sure if this is what you're asking, see attached Images

New Contributor III

When Bill and I were looking through it, we did this a bit differently. The following was our method of checking whether a machine was encrypted. Wrong or ok? bb669ff2c0884884aba1a7ae63247a18

I created this one below to check recovery key. 41a54b4b757d4fdb91fb24cefb4032fb

Contributor III

@dshepp33 Can you clarify what you mean by

My only question with the smart groups is whether I have the right criteria for checking FV2.

Are you looking for the criteria that is used to find what computers should be encrypted? @kitzy 's article provided screenshots of those criteria.

New Contributor III

@SeanA I think I have the smart groups the way they should be. I have both what I posted and what he shows on the blog and both show the right computers at this point. I was not sure if one is more proper over the other.

I am more looking to figure out how to apply the configuration profile with the script bit that @kitzy mentions. Particularly where he says "This Configuration Profile is applied during enrollment. Also during enrollment, I run a short script to configure the Mac..." Is that script part of the configuration profile or a separate thing? It is this part that I am a bit lost on as it seems to be the only part that does not have accompanying screenshots.

Honored Contributor II
Honored Contributor II

Hoping to add some observations from our call a couple days ago. We couldn't test a final solution because of the network issues David mentioned.

David's goal is to effectively make the Mac unusable (or frustrating to use) until the end-user has started the FileVault encryption process. Kitzy's blog post suggests forcing the user to log out to kickstart the encryption process. The end-user simply has to click a button to start the process and enter his password. But the user can also click Cancel. If he cancels and logs in again, he'll be logged out at next check-in.

The Smart Group needs to identify devices that "have yet to be encrypted" (i.e. not encrypted, not decrypted, not in the middle of encrypting, etc.).

The problem with Kitzy's solution is he's killing the loginwindow. This doesn't force a logout (which we need to kickstart FileVault) but rather takes the user directly back to the login window.

David, after some testing, the following seems to work. It doesn't appear to be using Accessibility controls, which means it should work without any special configuration in System Preferences. Replace the killall command with this in Files & Processes in your policy:

osascript -e 'tell application "System Events" to keystroke "q" using {command down, shift down, option down}'

That should force a clean log out without a prompt to the user to allow canceling the logout.

New Contributor III

Thanks Bill. I'll give that a shot shortly to see what happens. Will let you know.

Valued Contributor III

We don't use a configuration profile, we just have a script that runs often against all unencrypted computers. If the current user is not our standard administrator account (or one of the common Apple accounts like _mbsetupuser), then we run a trigger policy that applies an "at next login" FV policy for the current user. The next time they log in they are forced to enable FileVault or else they get kicked out.

If I wanted to force this to happen ASAP I would just reboot the system afterwards so they have to log in again.

New Contributor III

Why not send out a communication that this needs to be done by this date or set that expectation during the onboarding process. From there, if they don't complete setup a prompt policy every check-in that's tied to a smart group so when they start the encryption the pop ups stop.