I just finished making some changes to our enrollment process and noticed that when the Disk Encryption Configuration gets applied, sometimes it will turn FileVault on and other times it won't. The Disk Encryption Configuration will always get applied and it shows failed under policy history when it doesn't turn FileVault on, but no details as to why it failed.
This seems to happen at random and so far I haven't found a reason it's failing. The strangest part is that I will enroll a computer (10.12.6) that doesn't exist in the JSS and it will work as expected. I will restore that same computer just like before, rename it something different and enroll it again..but this time FileVault doesn't get turned on. Only the Configuration gets applied.
I've been watching the console logs hoping to try and find that "ah-ha" line..but no luck yet. Has anyone run into this issue or have any ideas on where else to look / things to try?
@mroiger I didn't think about that..and it got my hopes up..but the computers that failed to have FileVault turned on both had a recovery partition. I even tried to do internet recovery instead of the NetBoot I have setup...but it still happened eventually.
@Echevarria The image on the NetBoot server uses a dmg I made from autoDMG, I'll try doing it as a restore though and see what happens.
I added a section in the enrollment script to make sure FileVault is on and if not use a plist that's hidden to enable it before it restarts after being enrolled. Hopefully it'll work as a fix..but still wanna know what's causing the failures.