Strange Disk Encryption Configuration Issues

therealmacjeezy
New Contributor III

I just finished making some changes to our enrollment process and noticed that when the Disk Encryption Configuration gets applied, sometimes it will turn FileVault on and other times it won't. The Disk Encryption Configuration will always get applied and it shows failed under policy history when it doesn't turn FileVault on, but no details as to why it failed.

This seems to happen at random and so far I haven't found a reason it's failing. The strangest part is that I will enroll a computer (10.12.6) that doesn't exist in the JSS and it will work as expected. I will restore that same computer just like before, rename it something different and enroll it again..but this time FileVault doesn't get turned on. Only the Configuration gets applied.

I've been watching the console logs hoping to try and find that "ah-ha" line..but no luck yet. Has anyone run into this issue or have any ideas on where else to look / things to try?

"Saying 'uhh..' is the human equivalent to buffering."
3 REPLIES 3

mroiger
New Contributor III

Hi,

check if computers having the issue lost their recovery partition. This is an issue that occurs sometimes when we reinstall / re-enroll computers.

Wakko
Release Candidate Programs Tester

I would recommend using AutoDMG to create an image to restore from. I'm 173 machines deep re-imaging using this process and they are all FileVault'ing 100%.

therealmacjeezy
New Contributor III

@mroiger I didn't think about that..and it got my hopes up..but the computers that failed to have FileVault turned on both had a recovery partition. I even tried to do internet recovery instead of the NetBoot I have setup...but it still happened eventually.

@Echevarria The image on the NetBoot server uses a dmg I made from autoDMG, I'll try doing it as a restore though and see what happens.

I added a section in the enrollment script to make sure FileVault is on and if not use a plist that's hidden to enable it before it restarts after being enrolled. Hopefully it'll work as a fix..but still wanna know what's causing the failures.

"Saying 'uhh..' is the human equivalent to buffering."