Persistant FileVault 2 Re-Encryption Prompts

gskibum
Contributor III

Has anyone had issues with FileVault 2 automatically reenabling itself?

Several months ago I set up a Self Service policy to encrypt boot drives with an Institutional + Individual key. After some successful testing I scoped it to 3 of my own Macs and encrypted those boot drives. Everything has been working fine and I have not had any reason to think anything is amiss. I even recently successfully tested it again with two test Macs. So I now have 5 devices encrypted with this policy.

I’m now needing to mass deploy FileVault configurations in other JSSs I control, and for the sake of reinforcing my knowledge from my past effort, I decided I wanted to start with a clean slate and create new keys and new policies.

So I started the process by turing off FileVault on two of the Macs, one being my own. The decrypting process went without a hitch. Then upon rebooting one of the Macs I was presented with the same encryption process dialog I would exptect to receive after initiating an encryption policy through Self Service and following through with the reboot. I hadn’t noticed the behavior on the test Macs because I was reimaging them instead of decrypting them. But they too re-encrypt after the reboot following decryption.

The same thing happens with 3/4 of the other Macs (I haven’t touched the 5th one yet). I turn off encrytion, and upon reboot encryption is forced.

I tried several things in the JSS like disabling the policy, removing scoped devices etc. but nothing works. I finally deleted the policy and still no change.

There is noting in the policy logs about these events, nor in the policy log histories of the devices, nor do any FileVault policies appear in the Management/Policy tab for the devices, which led me to my next experiment: With one of the test Macs I ran sudo jamf removeFramework and decrypted the drive and removed the device from the JSS, and encryption was still forced after reboot.

I did discover with my own Mac if I log in to a local admin account I do not get the prompt to encrypt, however when I log in to my own account I do get the prompt. So it seems there is something cached and associated with my user account that is causing this to happen.

Any thoughts?

16 REPLIES 16

dwandro92
Contributor III

Are you by chance using a Configuration Profile which includes the "Security & Privacy" payload and has the "Require FileVault 2" setting checked? I've never used this payload setting before so I can't say that it would produce the problem that you are seeing, but I feel that it's a question worth asking.

gskibum
Contributor III

@dwandro92 Good question for sure. I just checked the dozen or so Configuration Profiles and no such payload.

Anyway, after removing the JAMF framework from the test Mac and deleting the machine from the JSS I still get the forced encryption.

Thank you!

CypherCookie
Contributor

It sounds as if it is part of your configuration profiles. I would go through your profiles to see if one of the profiles has an option related to file vault. That could be what is causing your issues.

gskibum
Contributor III

@CypherCookie Just quintuple-checked my Configuration Profiles and no such profile lurking around with Security & Privacy/FileVault configured.

This is reminding me of the episode of the movie Creepshow called Broken Meteor.

CypherCookie
Contributor

that is really strange. Have you done a check to see what profiles are installed and to see if there are any lurking in the background?

"profiles -C"

that will list all your profiles for you.

For more info do a "man profiles" as it could be a specific user level preference which is causing your issues as well.

PS cool video! :D

dwandro92
Contributor III

Check your profiles again to see if there are any with the Mobility payload configured. There is an option in this payload which configures encryption for cached accounts, which may explain why it's not occuring when you login using your management account.

If that doesn't work, you may want to check for profiles with custom payloads which contain the "DontAllowFDEDisable" key.

AVmcclint
Honored Contributor

Since you mentioned using an Institutional key, check the /Library/Keychains/ folder and see if the FileVaultMaster.keychain file is there. if you can get the drive to stay un-encrypted long enough, remove that file and see if it keeps trying to re-encrypt.

I'd suggest trying it on one of your test Macs in case removing the file causes problems.

gskibum
Contributor III

Thanks all for the efforts. However I'm still stumped!

On the test Mac that's still enrolled, profiles -C and profiles -P reveal only the single Casper MDM profile.

On the test Mac which I removed the framework from, profiles -C and profiles -P says there are no profiles installed. On this same Mac I also tried @AVmcclint's suggestion of removing the FileVaultMaster.keychain item, and I still got the forced reboot. It seems the individual key is in use anyway because of the way System Preferences/Security & Privacy/FileVault is worded.

I've also hunted through the few profiles I have configured and none have anything at all security related. They're just VPN & Energy Saver etc.

This is crazy!

Probably going to contact my JAMF rep in a few days about this unless something turns up here.

AVmcclint
Honored Contributor

Wow. That is a headscratcher! Since you've removed the JAMF framework and the MDM ... At this point, I'd start looking for LaunchAgents/Daemons that are looking to keep it going even after you've disabled it - as far fetched as that may be. Another possibility could be the EFI partition or Recovery partition? When you created the image, was the master drive already encrypted at the time? Have you zapped the PRAM? Rebuilt the Desktop? Sacrificed live goats? :) I know FileVault doesn't log anything but maybe there's something else triggering it that is writing a log?

CypherCookie
Contributor

OK i have no idea why it took me so long, but under policy's there is an option for file vault disk encryption to be enforced! Have a look through your policy's and see if you have anything there, that i would wager would be where the issue is coming from! :)

gskibum
Contributor III

@CypherCookie Thank you for the feedback. I'm not seeing any such setting available for FileVault policies, but I do see there is such a setting with Configuration Profiles. However I never used Configuration Profiles to deploy FileVault (I scarcely use Configuration Profiles at all), and "profiles -C" reveals only the Casper MDM profile on my own Mac. I also deleted the policy a few days ago. :-)

I'll take this up with my TAM in a couple of weeks. I'm getting married this weekend and I'm going to be off the grid for a few days. :-)

lfkone
New Contributor

Speaking from a distant galaxy, using old school techniques, may I suggest:

  1. copy and paste each and every item that has been tried or suggested in this thread to a PAGES document with optional screenshots. 1a. number each section, so that we know 1b. screenshots 1c. link (URL or file pathname)
  2. double check each item one more time, if thats technically possible

---------- okay, now suppose the error is unsolved -----

  1. at this point, we can be thinking you've been scientifically thorough as you know how
  2. and its safe to order out for pizza for some really deep pizza consultation with your JAMF Nation and JAMF rep.

gskibum
Contributor III

I did reach out to my JAMF TAM and he suggested working with fdesetup disable, which eventually worked.

it seems "fdesetup disable" did work, but not as one might expect: On one of the test Macs I issued the "fdesetup disable" command and it would not take the password I had recorded, nor any other password I may have used. I tried multiple times. I then tried to enable the Institutional key with "fdesetup enable -keychain" but I received a message saying that FileVault was busy. I didn't at first realize that FileVault disabled anyway. I finally moved my eyeballs over to the FileVault pane in System Preferences and saw that it was now off.

I gave the Mac a reboot and sure enough no more encryption prompt.

More testing will have to wait until I return from honeymoon.

gskibum
Contributor III

OK I thought the Ghost of Christmas Past just paid me a visit:

On a differnet test Mac from the one above, where I had also been testing FileVault and had disabled FileVault, I started to get the prompt to re-enable encryption. I would only get the prompt when I was trying to log in to the user account I was using when testing the FileVault policies. This started a few days ago and I just ignored it until now.

However by chance the update to 10.11.4 applied and after the reboot no more prompt to enable FileVault when I log in to that account.

I still had the other test system that I had also been using when I started this thread and was able to recreate the same set of events. I had removed it from the JSS however.
1. Disable FileVault, reboot and log into the user account I was using for testing and I would get the prompt.
2. Log in to a different user account and no prompt.
3. Test with 2-3 more reboots and confirm the behavior.
4. Apply the 10.11.4 update and viola, no more prompt.

There's mention of tinkering with FileVault on this page about the 10.11.4 update, but nothing specific to this issue:

So I had the same issue you did after removing from JAMF and manually turning off the file vault. For every boot after, please enable the file vault.  This is all on a Monterey System.

I ssh'd into the system and checked "fdesetup disable, " which said the file vault was disabled.

I took a beat from @jgalante and in the 4th line while logged in remotely I deleted the FileVaultMaster.keychain.  And that solved it for me.  Thank you both!

  • Remove the file with, rm -rf /Library/Keychains/FileVaultMaster.keychain

jgalante
New Contributor III

I have experienced this before, here is my process for resolving (use at your own risk):

  • Remove computer from JSS
  • Remove Jamf Framework from computer /usr/local/bin/jamf removeFramework
  • Turn off FileVault2 on computer, reboot when prompted
  • Boot to single user mode then remove /Library/Keychains/FileVaultMaster.keychain
  • While still in single user mode clear caches rm -Rf /Library/Caches/ and rm -Rf /System/Library/Caches/
  • Shutdown
  • Power on and clear PRAM -- cmd+option+p+r