Smart Policy for Missing Encryption Keys

Question

Working through a migration performed on JSS servers a while back. I'd set up a policy to reissue the FileVault 2 key following a few people's work (mostly @rtrouton's FV2 stuff) by deploying a .plist, importing, reissuing, yada yada yada.  It's failed on a group that has some bad user identities (wrong admin service account that has local FV2 rights, etc).  I don't mind manually touching each one to do

fdesetup add -usertoadd JAMFSERVICEACCOUNT

but I'm having a hard time identifying the right search criteria to separate
 out the 2 configurations to identify the FV2 not configured. I've tried a number of the search criteria around FV2 and none of my attempts seem to properly identify the group which shows as

"Not Configured"

Please help me.  I'm stuck in a forest and I desperately can't find the trees.

easyedc · Accepted Answer

So I think the solution that works for me is

FileVault 2 Recovery Key Type

with selection

is not

and criteria

Individual and Institutional

which seems to successfully capture whether the key is missing for me.

StoneMagnet · Answer

@easyedc Have you tried a Smart Group with a FileVault 2 Status criteria with a value No Partitions Encrypted? That should at least let you find machines that didn't have FV2 enabled although that may not be equivalent to configured.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded