Using a configuration profile to enforce FileVault2 is not working?

New Contributor

Hello all,

I have a test machine here that is DEP enrolled on High Sierra 10.13.6. Doing a fresh wipe I see that the configuration profile is sent to the machine in Sys Pref --> Profiles and it does get the FileVault enforcement profile.

However the machine upon rebooting and/or logging out does not do the usual FileVault enforcement.. Any ideas? Would be nice to fix this or see if we should switch to enforcing FileVault through a policy instead before putting JAMF to production


Valued Contributor III

I found FV as a profile to be wholly underwhelming. It's no better than just running fdesetup to enable deferred mode for the current user. It has no additional intelligence and is just as likely to fail, especially if it targets the wrong user.

What does an "fdesetup status" return?

New Contributor

Thanks for the response alex,

Do you recommend enforcing FileVault2 through a policy instead then?
fdesetup status on the Mac in question returns:
FileVault is off.
Deferred enablement appears to be active.

Valued Contributor II

Sound like the OS is waiting for you to enable it, usually at log out you will see the pop ups to enable/start the encryption...


That said I use the policy as I want to set FV at log in...

New Contributor III

This is how we have FileVault enforced in our environment:

1. We create a Smart Group, labeled "FileVault = No" Criteria:

2. A policy is created to enable FileVault on a machine:
- Scoped out to Smart Group FileVault = No
- Triggered at recurring check-in, Once every day

When a computer meets the Criteria of "FileVault = No" a computer is moved into that Smart Group and the Policy is triggered up to (1) times that day.

Hopefully this helps you!