Help

Question about FileVault enablement via configuration profile

john_sherrod
Contributor II

Posted on ‎06-06-2022 07:51 AM

I'm currently re-doing our method of enabling FileVault and moving from a policy-based one to a configuration profile based one. Am I right in thinking that once the user has enabled FileVault, there's no need for the configuration profile to stay on their computer? Or is there? Was thinking of just scoping the config policy to Macs that don't have FileVault enabled, but that would entail the profile dropping off after they enable it. Thanks!

Reply
5 REPLIES 5

KyleEricson
Valued Contributor II

Posted on ‎06-06-2022 07:55 AM

@john_sherrod  I have seen that after the encryption is enabled and done that you could remove the profile. There really isn't a good reason to remove the profile especially if you have the escrow FV key payload in the same config profile.

Read My Blog: https://www.ericsontech.com
Reply

john_sherrod
Contributor II
In response to KyleEricson

Posted on ‎06-06-2022 08:42 AM

Thanks, Kyle! That's kinda what I was thinking. Really liking doing this via configuration profile.

0 Kudos
Reply

gachowski
Valued Contributor II

Posted on ‎06-06-2022 05:22 PM

@john_sherrod 

If you leave the profile, it will prevent the user from turning FV off. And if they turn it on without the profile then Jamf can't sync the FV key...  : ) and the key stored in Jamf from the 1st sync will not work.

 

C

Reply

john_sherrod
Contributor II
In response to gachowski

Posted on ‎06-07-2022 01:27 PM

Oooh, very good point. Thank you!

0 Kudos
Reply

AJPinto
Honored Contributor III

Posted on ‎06-08-2022 06:21 AM

Configuration profiles are needed when you want to manage something. If the question is do you want to manage FileVault then yes the configuration profile is needed. Without the configuration profile users can disable FileVault, as well as JAMF would not have the recovery key escrowed. 

0 Kudos
Reply