Jamf Nation Community

We currently have a policy that runs when a new user logs/startup/recurring. What this policy does is run a script. The script checks to see if they user is bound to active directory and if so, runs the manual trigger for the policy that deploys the actual encrpytion. The reason we do this is because we have the users set up a admin account and then use and enroll url. We didn't want the FV to activate on their admin account, only on the active directory account.

The encryption policy is set to run once per computer, apply desk encryption configuration, fileVault 2 Individual, and require it at next logout.

We didn't really see this issue until recently so at first I was thinking it might be Casper related since we updated to 9.61...but I haven't found any evidence of this yet. I have a support case with both Apple and JAMF on this. But wanted to see if anyone else in our community has seen this.

We see the same thing, but it is what we want. : )

User logs in 1st time and a launchd trigger a scrip that call a manual trigger/event for FileVault that script forces a reboot. The next time the user logs in we see that "Your administrator requires that you enable FileVault. You must enable FileVault now to continue." pop up. Then we use a Config Profile to prevent the users from decrypting.

I have not decrypted a machine yet, I assumed that the "Your administrator requires that you enable FileVault. You must enable FileVault now to continue." pop up would only work once with a deferred FV trigger/event.

Next time I have a test machine that I can decrypted, I'll follow up : )

C

Ideally, its what we would want too since it would force Filevault and would make compliance a lot better. But since Yosemite is causing issues and Apple has asked up to remove FileVault for testing...would be nice to be able to do it.

I was also looking into the JAMF documentation about FileVault and realized that with Yosemite their method wouldn't work on an Active Directory Machine. They basically have you:
1) Go into recovery partition
2) Go into terminal and unlock and decrypt hard drive using recovery key
3) Reboot when done and go into recovery partition.
4) Use the reset password app to change the users password.

Since the user is still Active Directory, it would essentially still pop up that error message. So potentially this is even a bigger issue since when a person leaves, we have to e-discover their machine. In order to e-discover we need to decrypt it...and log in as the user. So catch 22 there.

Glad to see at least someone else is seeing that message though.

Roie,

I should have added that we have seen slowness and freezing issue with our older 2011 MBP that are HHD based. We have not seen it on the newer MBPr that have "SSD".
C

C,

A couple of our users have the SSD drives and are having the issue. In my research I've found several different angles people are looking at:
1) Filevault and Active Directory (as claimed by Apple)
2) Energy Savings settings, since issues seem to to occur after waking up the laptop.
3) iCloud Disk usage. I found this out myself when at the JAMF conference. My hotel has really bad WIFI and the iCloud Disk was pegging the CPU at 120% and made the computer unusable. After shutting it off, it worked fine.

So will add hard drive type to the list and check as well. I have extension attributes written for all the possible causes mentioned above so I can keep track of problem machines and see if their attributes are similar.

few people have been having similar problems, this workaround is working for the 4 or so macs that have had the problem in my environment

https://jamfnation.jamfsoftware.com/discussion.html?id=12188

Roie,

Yep, after we decrypt we still see the "Your administrator requires that you enable FileVault. You must enable FileVault now to continue." pop up.

Have you reached out to JAMF? Can you provide me with your Apple tix # ....I will reach out to our Apple guys and open a ticket too..

C

I have been able to get around this pop-up by deleting the following entries, after turning FileVault2 off and before rebooting the machine once the decryption process is complete:

/Library/Keychains/FileVaultMaster.cer
/Library/Keychains/FileVaultMaster.keychain

Once removed, I no longer see the pop-up and I run a "sudo fdesetup status" after login to confirm that FV2 is disabled.

At the moment, this is a manual process for me as I am only removing FV2 for a handful of users.

Hope this helps.

I am seeing this same issue as well with Yosemite 10.10.3 and came across this thread in my research. We do a deferred enablement through Self Service so I know there is no policy getting automatically reapplied since I have to trigger it manually.

I found that after disabling FileVault through the system preferences if I hit Cancel when I get the "Your administrator requires that you enable FileVault. You must enable FileVault now to continue." message and login with our local admin account it does let me get in without enabling FileVault. If I then go to the terminal and run fdesetup status I get the following:

FileVault is Off. FileVault master keychain appears to be installed. Deferred enablement appears to be active for user 'USERNAMETODEFERHERE'.

I also found that if I run sudo fdesetup showdeferralinfo I get the following (some info has been sanitized):

{ AskAtUserLoginMaxBypassValue = 0; CertPath = stdin; Certificate = <CERTIFICATEINFOHERE>; Defer = 1; DontAskAtUserLogout = 1; OutputPath = "/Library/Application Support/JAMF/run/file_vault_2_recovery_key.xml"; Usernames = ( USERNAMETODEFERHERE ); }

USERNAMETODEFERHERE is the same user that was enabled for FileVault when it was initially enabled on the Mac with the issue.

Since I have had no policies run for this Mac after disabling FileVault and since others said this issue started appearing in 10.10 I am wondering if there is some OS X or Casper bug where the deferment information is not getting removed after FileVault has been successfully enabled via policy for the user specified for deferred enablement.

Reading through the fdesetup manpage I found that I can remove the deferral by running sudo fdesetup disable even though it is already disabled. It will tell you "FileVault is already Off." but when you run sudo fdesetup showdeferralinfo again it now returns "Not found."

Thank's @mmunoz2 and @spalmer! I run into the same problem: FW2 was manually deactivated but the encryption needed to be activate again at each logout (was manually canceled every time). fdesetup disable did the trick, no need to trash the FileVaultMaster.keychain.

apfelpom:~ yb$ sudo fdesetup status
FileVault is Off.
Deferred enablement appears to be active for user 'yb'.
apfelpom:~yb$ sudo fdesetup disable
FileVault is already Off.
apfelpom:Keychains la$ sudo fdesetup showdeferralinfo
Not found.

Hi Group! Thanks for everyone's insight on all of this. So far so good with the 'decryption' of FV2. We were going bald over here trying to figure all this out. One thing though... when we check the status of fdesetup, we see that FV is finally off but 'FileVault master keychain appears to be installed'. I know where this file lives (Library/Keychains). Okay to delete/remove this? Or should we just leave it be to not screw anything else up?!?

I had success preventing FileVault 2 from requiring enabling after unenrolling the computer, removing:

/Library/Keychains/FileVaultMaster.keychain

and ONLY after removing the JAMF folder located:

/Library/Application Support/JAMF

Then, when I rebooted the computer, it didn't require FileVault 2.

I am encountering the same issue on my 10.12.6 machine, but the above solution is not working. But my conditions to arrive here were slightly different:

1. In my user account I turned off FV and rebooted per the prompt
2. The first reboot did not prompt me to re-enable FV and I logged in as normal and worked without FV for several days
3. I rebooted a second time to install some software, and that's when I got the prompt to enable FV
4. I canceled this and logged in as my local admin user instead

5. I first checked all Jamf policies to ensure there was nothing set to run on startup or login regarding FV. There wasn't - there is only an ongoing policy in Self Service to allow users to enable FV themselves, and a policy to redirect FV keys to the JSS. To be safe, I still added exceptions to these policies for my computer and tried again, but still the same behavior.

6. I unenrolled the computer from Jamf, confirming /Library/Application Support/Jamf and /Library/Keychains/FileVaultmaster.keychain were removed

7. I rebooted, was still prompted to enable FV, and this time I chose to enable it so I could log in with my user account
8. After fully encrypting the drive, I turned FV off again and rebooted
9. After logging in I ran fdesetup status and it says "FileVault is Off." fdesetup disable says "FileVault is already Off."
10. I rebooted, and once again I was prompted to enable FV

Considering there is no policy running on the Jamf side to force FV on, the FileVaultMaster.keychain file is gone, and I'm not even enrolled in Jamf, what else would be prompting this to turn on when I reboot?