Jamf Nation Community

skeb1ns · ‎03-29-2016

Hi,

And again an issue that is on my "to fix" list:

Random MacBooks are unable to boot after enabling FileVault during an enrollment. This is happening since Yosemite all the way up to El Capitan 10.11.4.

Our current scenario:

MacBook boots up from external drive with Casper tooling, if FileVault is enabled before the drive gets manually wiped.
Deployment runs which deploys OS X (10.11.4 at the moment), installs a few software packages like Chrome and Firefox and reboots when it's done.
A first boot script runs after the reboot that configures some basic settings like AD binding etc. and 2 command lines to reset the enrollment history and an enrollmentComplete trigger.
All enrollmentComplete policies are executed, like installing Office 2016, configuring our printer, installing SEP and finally configuring FileVault which is a basic configuration containing our institutional recovery key.
Another reboot occurs after that and if all went well we are presented with a FileVault login option for our management account.

But here is the issue: the machine doesn’t want to boot sometimes after this reboot and eventually presents the infamous stop sign. After checking the drive within the Recovery Environment I see that the partition is completely marked as untitled and first aid says that everything is fine.

Re-rolling the machine 2 or 3 more times fixes this but I can’t seem to pinpoint what is going on here and why it doesn’t work the first time.

Does anyone have an idea?

Thanks in advance!

PS: the images are flipped upside down for some reason :')

skeb1ns · ‎04-12-2016

I fixed the issue after some further troubleshooting. I've checked my Image flow and moved some deployment policies like installing Office and SEP to the end of the imaging process by checking the marks to install them at the boot drive.

I also noticed that the checkmark at "Perform authenticated restart on computers with FileVault 2 enabled", wasn't checked and I use a custom trigger from now on instead of the default -enrollmentComplete trigger because it isn't working consistently for my taste.

Either way: no more stop signs! :)

View solution in original post

AVmcclint · ‎03-29-2016

What OS is your external drive running that you boot the computer from? When you erase the drive, are you deleting the partitions or just erasing Macintosh HD in Disk Utility? Are you only doing it by checking the box in Casper Imaging? Whenever I image a Mac, I always delete the partitions and start off with a fresh Macintosh HD that Casper Imaging then will erase anyway.

skeb1ns · ‎03-29-2016

Our Casper Image is currently at 10.11.3, wiping is done in Disk Utility and the whole disk gets wiped (not just removing the partitions).

I also put a check at the wiping stage in Casper Imaging, maybe overkill but then I'm sure that it is empty.

AVmcclint · ‎03-29-2016

Do the Macs that stop working eventually work again after enough reboots or are they down for the count once you get the symbol no matter how many times you reboot? Are you getting the symbol before or after authenticating as an FV-enabled user? If it's before then there may be a problem with your EFI or Recovery partitions? How are you enabling FV? Do you let the encryption process complete before rebooting again?

What version of JSS and Casper Imaging?

Things I'd try: zap PRAM, pre-emptively go into System Prefs > Startup Disk and make sure the startup drive is selected and verify that your partitions are present and accounted for via diskutil list before you enable FV.

That's definitely a tough one.

thoule · ‎03-29-2016

Before you enable encryption, try to boot from the recovery partition. I'm guessing you won't be able to. Sounds like it's either corrupted, bad version, or something similar. If that's true, then you need to look at your imaging workflow and include a recovery partition in it.

skeb1ns · ‎03-30-2016

It won't boot no matter how many times I reboot the machine. At a normal boot you would see the username authenticated to logon ("the filevault logon screen"), but at this particular machine it straightly wants to boot. I immediately see the apple logo + progress bar, it goes halfway and then fails with the flashing stop sign.

I also tried to manually enable FileVault without the Casper Policy but that ended up at the same result.

The image that is deployed is a clean 10.11.4 image built with AutoDMG so it should include a recovery partition. Casper Imaging is 9.82 (so the latest version at the moment).

Booting up to recovery mode before and after enabling FileVault is working fine.

This is driving me nuts! :(

htse · ‎03-30-2016

It's possible the verbose startup key combination with the FileVault login screen, with a well-timed combination of Command+V and Enter.

I suspect it might say something to the effect of "kernel not found," with the volume in a state of limbo converting to CoreStorage. That being said, maybe look at the timing or the sequence, and it's erroring out or rebooting before it's finished.

skeb1ns · ‎04-04-2016

Allright, turned on verbose mode at boot, I now see the message "still waiting for root device" with the stop sign. Next step is to re-check my imaging flow, thanks so far.

skeb1ns · ‎04-12-2016

I fixed the issue after some further troubleshooting. I've checked my Image flow and moved some deployment policies like installing Office and SEP to the end of the imaging process by checking the marks to install them at the boot drive.

I also noticed that the checkmark at "Perform authenticated restart on computers with FileVault 2 enabled", wasn't checked and I use a custom trigger from now on instead of the default -enrollmentComplete trigger because it isn't working consistently for my taste.

Either way: no more stop signs! :)

Jamf Nation Community

Random stop signs (unable to boot) after enabling FileVault @ Enrollment