I just finished making some changes to our enrollment process and noticed that when the Disk Encryption Configuration gets applied, sometimes it will turn FileVault on and other times it won't. The Disk Encryption Configuration will always get applied and it shows failed under policy history when it doesn't turn FileVault on, but no details as to why it failed.
This seems to happen at random and so far I haven't found a reason it's failing. The strangest part is that I will enroll a computer (10.12.6) that doesn't exist in the JSS and it will work as expected. I will restore that same computer just like before, rename it something different and enroll it again..but this time FileVault doesn't get turned on. Only the Configuration gets applied.
I've been watching the console logs hoping to try and find that "ah-ha" line..but no luck yet. Has anyone run into this issue or have any ideas on where else to look / things to try?