Hey Y'all!
We wanted to remove the user option to hit enable or cancel when imaging a Jamf Connect / Zero Touch machine. On the onboarding, our goal was to move to a user onboarding and a computer that can come straight from the factory or vendor with an imaging ready to load. Allowing the user to decide if the machine was going to be encrypted or not was not something we wanted. Below is how we remove that option and encrypt our machines.
Getting Started:
You need:
The flat Package method: https://github.com/sean-rabbitt/JamfConnectMetaPackageSample/blob/main/JamfConnectMetaPackage.pkg (this is not totally needed, but we are wrapping the jamf connect pkg and assets in the above wrapper)
Jamf Connect Configurator (This is where we apply FV settings - no escrow)
Starts with the Zero Touch Presatge:
In that prestage you'll select the encryption, but we dont escrow the key. This is in the Pkg Settings we configure in Jamf Connect Configurator.
Create a Configuration profile to only escrow the key. Scope to a Smartgroup of these machines.
In your Imaging for Zero Touch, Apply a policy at the end that restarts the machine and run recon to checkin.
The Configuration profile hits first and says hey when we get a key we'll escrow it. Then the FV gets turned on by prestage (in our pkg) and the restart and checkin is what gets rid of the need of an end user having to go to system preferences and turn on FV.
Tested with Jamf and myself. It removes the user interaction and encrypts our machines.
