- Jamf Nation Community
- Products
- Jamf Pro
- Re: Random FileVault enablement failures
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago - last edited 2 weeks ago
I've got a profile added to my prestage to enable FileVault during enrollment, and for random systems, it seems to be failing to turn on FileVault. The profile is installed on the system, but the key is Unknown and FileVault 2 status is Not Enabled. These machines have all been on macOS 14.x (few with 14.1, few with 14.3). The weirdest one of all though, is a system with 13.7.3 enrolled, got the profile deployed, and FileVault enabled and key escrowed to Jamf. I doublechecked and confirmed the documentation states this is for macOS 14.0 or later. Anyone else seeing anything similar? My environment is running 11.12.1.
I could rip out that profile from one system and then deploy the previous profile that I was using to enable at first login (I confirmed that both profiles are not on the systems affected).
Also of note - users are FileVault2 Enabled, and have SecureToken issued. I also checked the PI's and didnt see anything that sounded similar to this.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago - last edited 2 weeks ago
@Jason33 Setting the minimum macOS version for enrollment in your PreStage might be worth investigating although you need to be starting with 14.6 on a machine for it to work reliably. For Macs that don't process the minimum OS version for enrollment option I use Smart Groups to scope what enrollment policy runs so one running something lower than our minimum macOS ends up running erase-install to re-image with the minimum.
@AJPinto macOS Sonoma 14.0 introduced FV enablement during Setup Assistant enrollment (to clarify @Jason33 's comment about it being added in 14.4 that was when it started working for standard users). Having an all devices scoped Configuration Profile also included in the PreStage Profiles list is just a belt and suspenders approach to ensuring FV will be enabled on initial user login.
Reply
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
You dont want to enable FV in the prestage. The best pratice is to target your FV configuration to all devices, and set your exclusions. The Config Profiles to enable FV will be on the device before the user can log in. Generally speaking deliveringConfig Profiles via pretage is only for very specific use cases.
If I remeber correctly macOS 15 added some functions to enable FV at enrollment, but I have not played with that yet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Got reminded that the enable with a prestage config profile was for macOS 14.4 and later - these systems got sent out from our Service Desk with 14.1 and 14.3. I'll probably change it back to my original profile because them guys cant be trusted to do the simple things. Up until now I hadnt run into this issue because they had been sending machines out with 14.7.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago - last edited 2 weeks ago
@Jason33 Setting the minimum macOS version for enrollment in your PreStage might be worth investigating although you need to be starting with 14.6 on a machine for it to work reliably. For Macs that don't process the minimum OS version for enrollment option I use Smart Groups to scope what enrollment policy runs so one running something lower than our minimum macOS ends up running erase-install to re-image with the minimum.
@AJPinto macOS Sonoma 14.0 introduced FV enablement during Setup Assistant enrollment (to clarify @Jason33 's comment about it being added in 14.4 that was when it started working for standard users). Having an all devices scoped Configuration Profile also included in the PreStage Profiles list is just a belt and suspenders approach to ensuring FV will be enabled on initial user login.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
@sdagley Yep, I do have the minimum OS version set, but wouldnt have applied for these systems to upgrade. Thats a good idea about using eraseinstall as a counter measure for that though, and something I never thought of. So if you've got a 13.x or 14.x system enrolled, and your minimum is now 14.7.3, or even 15.x, would your EI policy run an erase on the system, or upgrade? I'd have to play around with it, but I do have an EA to check for finished enrollment, and once the system rebooted from an upgrade and checked in, the full set of enrollment policies should kick off.
Thanks for giving me something to tinker around with!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
@Jason33 The enrollment policy triggered by Macs running less than the required macOS version does trigger an erase. Or tries to since on Apple Silicon Macs the user is prompted for credentials and they tend to not enter them.
