Posted on 10-07-2015 11:09 AM
Kind of a quick inquiry and recommendation, our company a few months ago performed bare metal installs of 10.10.x and now are wanting to upgrade some of these users to 10.11 - we have FV2 enabled and are curious do you decrypt the FV2 drive or just install over 10.10.x with FV2?
Posted on 10-07-2015 11:12 AM
We've always upgraded the OS leaving FV2 encryption intact and have never run into any issues with it.
Posted on 10-07-2015 11:15 AM
Just install over it. The OS installer is able to handle updating a Mac with FileVault 2 enabled. The only time it might present an issue is if you were talking about Macs on say, 10.7 because of the difference in how FV2 worked back then. Anything on 10.8 and up should present no issues.
Posted on 10-07-2015 11:38 AM
Would you use the normal download from Apple or would you package it separately? How would it handle the installer part after the reboot if FV2 is turned on?
Posted on 10-07-2015 12:21 PM
The installer seems to have no issue detecting FV2 and temporarily disabling it during the installation process (similar to an authenticated restart). However, we don't package it, we use the installer app.
Posted on 10-07-2015 12:46 PM
Like @alexjdale said, using the GUI of the installer app itself will result in an authenticated reboot that bypasses FileVault so you don't have to worry about how it deals with FileVault encryption.
If, however, you have a policy that pushes the upgrade to a Mac, or if you have it as a user initiated policy in Self Service then it does not do an authenticated restart. So it is ideal to have someone in front of the machine, or make sure the user is informed that they will need to log-in through the FileVault pre-boot screen after one of the reboots to allow the upgrade to continue/complete.
Depending on the scenario we've done a mix of all of these things, but the smoothest and lowest risk option has been putting the installer in a Self Service policy that is only accessible to our Deskside team, so that a Deskside tech can facilitate the upgrade and already be present should any issues arise. This is probably not the most practical option if you are upgrading a bunch of Macs at once, but since we mainly do one-offs upon request it is manageable.