upgrading OS X 10.10.x to 10.11 with FV2

SQR
New Contributor

Kind of a quick inquiry and recommendation, our company a few months ago performed bare metal installs of 10.10.x and now are wanting to upgrade some of these users to 10.11 - we have FV2 enabled and are curious do you decrypt the FV2 drive or just install over 10.10.x with FV2?

5 REPLIES 5

alexjdale
Valued Contributor III

We've always upgraded the OS leaving FV2 encryption intact and have never run into any issues with it.

mm2270
Legendary Contributor III

Just install over it. The OS installer is able to handle updating a Mac with FileVault 2 enabled. The only time it might present an issue is if you were talking about Macs on say, 10.7 because of the difference in how FV2 worked back then. Anything on 10.8 and up should present no issues.

roiegat
Contributor III

Would you use the normal download from Apple or would you package it separately? How would it handle the installer part after the reboot if FV2 is turned on?

alexjdale
Valued Contributor III

The installer seems to have no issue detecting FV2 and temporarily disabling it during the installation process (similar to an authenticated restart). However, we don't package it, we use the installer app.

NowAllTheTime
Contributor III

Like @alexjdale said, using the GUI of the installer app itself will result in an authenticated reboot that bypasses FileVault so you don't have to worry about how it deals with FileVault encryption.

If, however, you have a policy that pushes the upgrade to a Mac, or if you have it as a user initiated policy in Self Service then it does not do an authenticated restart. So it is ideal to have someone in front of the machine, or make sure the user is informed that they will need to log-in through the FileVault pre-boot screen after one of the reboots to allow the upgrade to continue/complete.

Depending on the scenario we've done a mix of all of these things, but the smoothest and lowest risk option has been putting the installer in a Self Service policy that is only accessible to our Deskside team, so that a Deskside tech can facilitate the upgrade and already be present should any issues arise. This is probably not the most practical option if you are upgrading a bunch of Macs at once, but since we mainly do one-offs upon request it is manageable.