Jamf Nation Community

Im on 9.52 and my Macs with Filevault2 enabled on Yosemite are still showing as encrypted.

We're on 9.52, though locally hosted, and Yosemite machines are reporting encryption correctly.

Hi @ShakataGaNai

Are you getting this information via the API, or are you getting it directly from the web GUI?

Thanks,
Tom

Web GUI.

What we noticed in digging around is that it's just the reports that are broken. So when I bring up a Smart Computer Group or do an inventory search (which are very similar, obviously), FV2 says no partitions encrypted. However if I bring up the individual computers record, it does say the drive is encrypted.

So, just a bug on the reports it looks like.

Hi @ShakataGaNai,

Thanks for the reply. I have not seen that behavior in the web GUI in my testing, but i have seen the API report status of "Not Encrypted," not sure if they are related but I will tie this JAMF Nation thread to my ticket internally. I would also suggest you reach out to your support rep so we can tie a support case internally to the API behavior I have filed.

I will see if I can replicate this behavior in the web GUI, but yesterday when I was testing this stuff I was unable to do so. I would be curious to see what the API reports as well on your end to see if there is any correlation to the issue I found yesterday.

If you curl down the device record like so:

curl -s -u apiusername https://yourjssurl.com:8443/JSSResource/computers/id/_the_id_of_the_device | xpath //partition/filevault_status

You would have to input your credentials (the syntax above would prompt you for the password after you ran the command) and change the id to the value of the ID of the computer record in the JSS. Here is an exact example I was seeing in the API (not in my web GUI, it reports properly):

bash-3.2$ curl -ks -u tlarkin https://casper9gm.local:8443/JSSResource/computers/id/10 | xpath //partition/filevault_status
Enter host password for user 'tlarkin':
Found 1 nodes:
-- NODE --
<filevault_status>Not Encrypted</filevault_status>

Thanks,
Tom

There was time when the JSS didn't gather or display FV2 status. Many people added an Extension Attribute that obtained the FV2 status.

Is there a chance your reports are based on an outdated (i.e. not Yosemite aware) Extension Attribute and your smart groups are based on the build-in FV2 status?

I can confirm this is a bug with 9.6. 10.10 machines with FV2 encrypted boot partitions are falling into a smart group with criteria of FV2 status is not Boot Partitions Encrypted.

I just want to update everyone on this issue. I have confirmed and duplicated the problem and field a defect (last week actually). QA and dev are currently working on it. As a workaround I would look at dumping the contents of `fdesetup status` and here is an example of the output you could use for an extension attribute:

#!/bin/bash
FVresults=$(fdesetup status | head -n1)

echo "<result>${FVresults}</result>"

That way you can run advanced searches and scope smart groups based on that extension attribute. The out put will look like this:

fdesetup status | head -n1
FileVault is On.

So you can base it on the string "FileVault is On" or "FileVault is Off" for your criteria for reporting or smart groups. I apologize for any inconvenience this has caused anyone, and I suggest you reach out to your Technical Account Manager at JAMF for any further questions or concerns.

Thanks,
Tom

Pretty awesome FileVault EA script by Rich: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/filevault_2_encryption_che...

As an aside, if a strict security-minded individual evaluates the EA above, he will have concerns about the delay between set and check on those globals, and the fact that they're set in predictable locations. I do not share these concerns, but I modified it thusly in order to appease:

CORESTORAGESTATUS=`mktemp -t CSS.XXXXXX`
ENCRYPTSTATUS=`mktemp -t ES.XXXXXX`
ENCRYPTDIRECTION=`mktemp -t ED.XXXXXX`

Hey all,

Just to bring you all up onto the same page:

We do currently have a known issue (D-007896) that causes FV2 encrypted devices to incorrectly show up in Smart Groups set to report non-encrypted devices.

We’re seeing this in 10.9.x and 10.10 computers, in 9.5x and 9.6 JSSes.

This issue is marked as a major/high priority, so we’re hoping to see a fix for it soon. We don’t have specific time frames or date ranges, but defects that are fixed always appear listed in each version’s Release Notes.

In the mean time, as others have mentioned, there are extension attributes (many of which are listed further up in this thread) that can be used instead to help get around it.

Just for reference, the incorrect FV2 status displayed from an API call has been filed under D-007885.

If you don’t already have a case open on the matter, please get in touch with your Technical Account Manager so we can get a case going and get it attached to D-007896 for tracking. It helps us get a better picture of how many customers are currently running into the issue.
You can get in touch with your TAM by giving them a call, sending an e-mail to support@jamfsoftware.com (it gets routed to their case queue), or by using the My Support section of JAMF Nation.

Thanks!

Amanda Wulff
JAMF Software Support

@amanda.wulff When will this be fixed please? I have tested this with Casper version 9.72 and I can confirm that the issue is still exist.

I'm seeing this too and didn't realize it until the post today, thanks @Cem

I'm using @tlarkin extension attribute to work around it. Major/high priority bug since Oct?

I've moved my FileVault 2 EA, so the link earlier in the thread now gets a 404 error. For those who need it, it's available from here:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attribute...

It provides FileVault 2 status reporting for Macs running 10.7.0 and later.

Be sure you're not experiencing D-00903 Disk showing as 0. This occurs on new MacBooks which will show 0 disks available in the JSS.

@amanda.wulff Has this been fixed?

@Cem

With each release, we put out a new set of Release Notes that detail which defects have been fixed and also list any major defects that are still known issues.

Our release notes can be found by going to your My Assets page.
Under the Casper Suite section, right below the version number, you'll see a Release Notes header that has a link to a PDF that will give you that list.

The direct link for the 9.8 Release Notes is here.

The quickest way to find out if a defect (or defects, if there happens to be more than one) you're wondering about has been fixed is to run a find on the PDF for the defect number.

If you have additional questions or are looking for more details than what's in the Release Notes, the fastest way to get an answer is to open up a case with your Technical Account Manager, either by giving them a call, sending an e-mail to support@jamfsoftware.com, or by using the My Support section of JAMF Nation.

Thanks!
Amanda Wulff
JAMF Software Support

Thanks for the quick reply! I have checked the D-007885 and it's not been mentioned...

@Cem

Not a problem! A lot of people (myself included, as embarrassing as THAT is to admit) overlook the Release Notes sometimes; they are worth a read with every release both to check on defects and to make sure there haven't been any new known issues added that could be a problem.

I did a quick search on D-007885 in our system, and the notes on it indicate that it was listed as fixed in 9.62.

If you're still seeing the issue on a version of the JSS newer than 9.62, please open up a case with your Technical Account Manager so they can dig into it further with you to see if it is the same issue (and possibly open or re-open a defect if it is) or to see if something else might be going on that is showing similar symptoms to D-007885.

Thanks!
Amanda Wulff
JAMF Software Support

That's awesome! Thanks for confirming it Amanda...
Have a great weekend :)

@amanda.wulff If a bug reporting system were implemented, we could check ourselves what the status is of defects....

@bpavlov

We do have a Feature Request for a bug reporting/tracking system. If you haven't already voted it up or left a comment, feel free to do so.

In the mean time, to get a list of defects fixed in a particular release, you'll need to check the Release Notes with each version update or, if you have questions on a specific defect that you don't see listed in the Release Notes, get in touch with your Technical Account Manager either by phone, by e-mailing support@jamfsoftware.com, or by using the My Support section of JAMF Nation.

Thanks!
Amanda Wulff
JAMF Software Support