Moving FileVault from policy to profile (Already have an existing partial profile on every Mac)

New Contributor III

I'm trying to switch to using just a profile to manage FileVault instead of a policy.

Currently we push out a profile that contains the following:


If I turn on "Enable FileVault" what would that do to existing computers if I pushed the profile back out as they all have FileVault enabled.


This is our current policy


We had both a config profile and policy because originally we had to move all our keys from Sophos to Jamf a couple of years ago and followed this guide homebysix/jss-filevault-reissue: A framework for re-escrowing missing or invalid FileVault keys with...

Additionally the reason we want to do this is to Enable FV as early as possibly before we run our DEPNotify script so users don't need to logout at the end of our DEPNotify process.


Honored Contributor III

@demaioj FV isn't going to enable without a logout cycle, so you're not going to be able to bypass that for your DEPNotify script if that's what you're running when enrolling a Mac.