- Jamf Nation Community
- Products
- Jamf Pro
- Re: Turning off FileVault after applying Jamf disk...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2023 10:58 AM - edited 03-01-2023 11:00 AM
We have a policy in Jamf that applies a disk encryption configuration defined in Jamf Pro's settings. (Settings \ Disk encryption configurations)
We also have a device that needs to run the built-in guest user, but not in Safari-only mode that is enforced when FileVault is on. FIleVault has already been enabled via that policy on this particular device.
Based on a test, it seems that if we disable FileVault, it will just turn it back on per that policy that previously ran & applied the disk encryption configuration.
Short of wiping the device and not applying that policy, is there a way to clear out that configuration as-is, to prevent FileVault from turning back on?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2023 06:48 PM
I came across the very same issue this week. Found that I can revert the Policy changes by pushing a Configuration Profile -> Security & Privacy -> FileVault -> User adjustment of FileVault options = "Prevent end user from enabling or disabling FileVault"
It reverted the majority, but I had another coinciding issue being that auto-login was also set.
Running 'sudo fdesetup disable' in terminal as an admin user assisted with this and cleaned the remainder up. Note: even though Terminal cmd replies with 'FileVault is already disabled', it still actually does something to remove the recurring trigger from Jamf.
Reply
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2023 11:12 AM
@ajc196 You can exclude that specific computer from your policy (under Scope->Exclusions) that enforces FileVault
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2023 11:22 AM
Correct, but the policy has already run on this device at least once. Even if it never runs again, the settings are already enforced.. FileVault automatically enables all over again once disabled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2023 11:50 AM
@ajc196 Did you enable FileVault via a Policy, or via a Configuration Profile? You can also exclude a Configuration Profile via Scope->Exclusions, and once the profile is removed you'll be able to disable FileVault (you may need to restart before disabling works though)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2023 01:09 PM
It's a policy that applies a disk encryption configuration, not a configuration profile.
I understand I can exclude devices from either so they don't run in the first place, but the device in question has already run the policy and applied the disk encryption configuration to the device. An exclusion after-the-fact won't stop FileVault from enabling itself again in this scenario.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2023 01:38 PM - edited 03-01-2023 01:39 PM
@ajc196 If FileVault was enabled via a Policy, and that Mac is no longer in scope for that policy, you _should_ be able to manually disable FileVault and it will stay turned off.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2023 01:53 PM - edited 03-01-2023 02:10 PM
That's what I had assumed as well, but it is not the case. FileVault re-enables itself at the next trigger defined in that policy's disk encryption configuration. (which is "at next login" for us) I just disabled FileVault and rebooted on a spare device in my office, and this is still true -- At next login it required FileVault to be turned back on.
So once the policy applies the disk encryption config, it's set & enforced on the device whether the policy does or doesn't run again, is or isn't in scope, etc. Obviously wiping the device and excluding the policy from running is a "fix", but I wanted to see where under the hood in macOS could I keep FileVault from turning back on without starting the device over from scratch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2023 06:06 PM
@ajc196 I think you'll need to open a case with Jamf Support on this one as there is nothing in the Jamf Pro docs for FileVault configuration via policy docs that covers removing it, and Google isn't turning up anything useful either (this thread is one of the top hits)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2023 06:48 PM
I came across the very same issue this week. Found that I can revert the Policy changes by pushing a Configuration Profile -> Security & Privacy -> FileVault -> User adjustment of FileVault options = "Prevent end user from enabling or disabling FileVault"
It reverted the majority, but I had another coinciding issue being that auto-login was also set.
Running 'sudo fdesetup disable' in terminal as an admin user assisted with this and cleaned the remainder up. Note: even though Terminal cmd replies with 'FileVault is already disabled', it still actually does something to remove the recurring trigger from Jamf.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2024 12:46 PM
Kudos for your post here @jamph , Was just dealing with this reprompting for FV2 after excluding from policy, and running the 'sudo fdesetup disable' turned it off for good.
