Help

Moving FileVault from policy to profile (Already have an existing partial profile on every Mac)

demaioj
New Contributor III

Posted on ‎07-29-2022 12:09 PM

I'm trying to switch to using just a profile to manage FileVault instead of a policy.

Currently we push out a profile that contains the following:

demaioj_2-1659121138456.png

If I turn on "Enable FileVault" what would that do to existing computers if I pushed the profile back out as they all have FileVault enabled.

demaioj_3-1659121227201.png

This is our current policy

demaioj_4-1659121330786.png

We had both a config profile and policy because originally we had to move all our keys from Sophos to Jamf a couple of years ago and followed this guide homebysix/jss-filevault-reissue: A framework for re-escrowing missing or invalid FileVault keys with...

Additionally the reason we want to do this is to Enable FV as early as possibly before we run our DEPNotify script so users don't need to logout at the end of our DEPNotify process.

0 Kudos
1 REPLY 1

sdagley
Esteemed Contributor II

‎07-29-2022 01:42 PM - edited ‎07-29-2022 01:43 PM

@demaioj FV isn't going to enable without a logout cycle, so you're not going to be able to bypass that for your DEPNotify script if that's what you're running when enrolling a Mac.

0 Kudos