I have a test machine here that is DEP enrolled on High Sierra 10.13.6. Doing a fresh wipe I see that the configuration profile is sent to the machine in Sys Pref --> Profiles and it does get the FileVault enforcement profile.
However the machine upon rebooting and/or logging out does not do the usual FileVault enforcement.. Any ideas? Would be nice to fix this or see if we should switch to enforcing FileVault through a policy instead before putting JAMF to production
I found FV as a profile to be wholly underwhelming. It's no better than just running fdesetup to enable deferred mode for the current user. It has no additional intelligence and is just as likely to fail, especially if it targets the wrong user.
What does an "fdesetup status" return?
Thanks for the response alex,
Do you recommend enforcing FileVault2 through a policy instead then?
fdesetup status on the Mac in question returns:
FileVault is off.
Deferred enablement appears to be active.
This is how we have FileVault enforced in our environment:
1. We create a Smart Group, labeled "FileVault = No"
2. A policy is created to enable FileVault on a machine:
- Scoped out to Smart Group FileVault = No
- Triggered at recurring check-in, Once every day
When a computer meets the Criteria of "FileVault = No" a computer is moved into that Smart Group and the Policy is triggered up to (1) times that day.
Hopefully this helps you!