Jamf Nation Community

gachowski · ‎06-17-2019

I just found this...

"In order to prevent attackers enabling FileVault with a secret key via fdesetup, a possible avenue for a ransomware attack, Apple have introduced a new prompt that requires user approval before FileVault can be used to encrypt the drive programmatically."

From...

https://www.sentinelone.com/blog/7-big-security-surprises-coming-to-macos-10-15-catalina/

And in my testing I am see the prompt twice.. once when fdesetup is set to defer and once when the user enables.

C

talkingmoose · ‎06-17-2019

I haven't reviewed these new security features in Catalina, but the prompt in the screenshot looks very much like PPPC. If that's the case, Jamf Pro will likely include those new security settings in its PPPC Configuration Profile payload for the release or Catalina.

allanp81 · ‎06-17-2019

There's not a lot you can do these days that doesn't involve a user having to say yes. They might as well just remove MDM/enterprise features and just let people do what they want.

allanp81 · ‎06-17-2019

There's not a lot you can do these days that doesn't involve a user having to say yes. They might as well just remove MDM/enterprise features and just let people do what they want.

ThijsX · ‎06-17-2019

Hmm i read here and there that profile based enablement of FV not will be affected, but the FDESETUP through CLI will not accept blank password/username anymore, or in some way like that.

allanp81 · ‎06-17-2019

@txhaflaire I thought that was the case already with Mojave anyway. It's certainly what I've seen if you want to apply a securetoken to a new or existing user via the cmd (if you don't know the user's password).

sdagley · ‎06-17-2019

@allanp81 I'm taking the optimistic view like @talkingmoose and expect we'll have a way to approve it via Configuration Profile. If not, there are ways to "encourage" your users to approve the things required to make a Mac meet your compliance requirements with scaling levels of subtlety.

gachowski · ‎06-17-2019

In my testing and in what I have read. Using a profile still use fdesetup and there is no workaround. I think our security team and onsite teams would laugh me out of the room if I suggested that deploying machines unencrypted and then "encouraging" users to encrypt later. In fact, we auto wipe our machines if the FV key isn't reported back to Jamf after enrollment.

C

Chris · ‎06-18-2019

From what I've seen, using a profile does not trigger the prompt.

gachowski · ‎06-18-2019

@Chris

What build of Catalina?

C

Chris · ‎06-18-2019

19A471t, haven't tried the latest one yet

gachowski · ‎06-18-2019

@Chris

Strange... I tested on the same build and I am seeing the same with yesterdays build.

C

Chris · ‎06-18-2019

Maybe you still have an FV deferral active on your testbox that was created by fdesetup before you applied the profile?
Try

sudo fdesetup disable

and re-apply the profile?

dpodgors · ‎07-24-2019

I pulled the policy that was setting the FV on and I'm only relying on the Config Profile. The problem I have now is, at logout, it requires the user to put in their password before FV is enabled. The user can hit cancel and FV will be off.

So I finally typed my password and now the screen just is blank, which I'm assuming is the FV encrypting the drive. Users will not find this beneffical and force a hard boot.

gachowski · ‎08-12-2019

The current beta resolved my issue..

ThijsX · ‎08-12-2019

@gachowski With a profile it works now? please describe :)

scottb · ‎08-12-2019

@gachowski - I'm in the beta as well...just getting rolling. Are you just using the simple built-in for FV testing here?

gachowski · ‎08-14-2019

Yep, I test both the profile and the built-in policy and both worked that said I have been out since the after it was released so I don't have the best memory ... working on a different issue today but hopefully, I can get back to test FV tomorrow.

C

edickson · ‎08-14-2019

Unfortunately for me, working with non-IT managers, they still want us sitting with the users while going through the DEP process. Kinda defeats the purpose of DEP but clicking through login prompts is easy.

tlarkin · ‎08-14-2019

tested a clean install of beta 5 today in a VM. Did not prompt for FV2 and it applied like it should for me

devoted_lkrygsm · ‎09-30-2019

@tlarkin , I have a script that I use to fix the Secure Tokens for our IT-Admin type account and it ATTEMPTS to activate FV, but it never succeeded in being zero touch in Catalina OR Mojave--the user would get caught by our configuration profile fall-back where they have to input their password on the first restart.

This, although annoying, worked okay for Mojave, but while the profile fires on Catalina for me, and I put in my password, the drive doesn't actually encrypt, so now none of my methods are working.

Would you mind sharing the script/method you're using to enable FV2 for Catalina (and earlier) via Profile? I would greatly appreciate it!

tlarkin · ‎09-30-2019

I am just using the config profile to force FV2 to be enabled and enforced at next boot. That is it. Then in my DEP Notify workflow the last thing I do is apply all OS and security patches and force a reboot. User reboots, logs in and is prompted to enable FV2. That is all I am doing.

petestanley · ‎11-18-2019

I'm seeing the same behaviour as @Chris, using a profile prompts users in the same way it always has - Ask for password once.

Jamf Nation Community

No more zero touch with Catalina if you use FV