Zero Touch Me


Hey Guys,

Are any of you doing zero touch and I mean completely zero touch.
What are you doing for Filevault encryption?

Currently we have our IT team receive and setup the machine then deliver the machine and wait for user, we unlock the drive and setup the new user.

Is there a way to deliver machine directly to user and not have to unlock the drive and at the same time our admin account added to machine later via script or something?



We did zero touch where I used to work and it was pretty seamless (our IT management still wanted us to sit with users and go thru the DEP process with them).

AFAIK, Filevault can be enabled via policy so the machine will enable when the user logs in for the first time. Others here may have a bit more details though.

New Contributor III

Hey there!

Filevault zero touch might require you to use a certificate or a global recovery key

Contributor II

There are two options:

1: Don't enable filevault2
2: At first Login the User is Admin so gets the Secure Token by Default then a script kicks in to downgrade the account on log out (which is required by one or more 'updates'. I use dsconfigad groups add "All Staff" to the admin group then update this afterwards.
3: Deploy to user and don't have an admin account with FV2 permissions!

I have tested 2 and it did work but I haven't deployed it to production yet as zero touch is a bit of an alien concept here though I've been doing it on iPad for over a year...

Contributor III

Hate to be a negative nancy, but I feel that it needs to be pointed out that zero-touch deployment is not actually possible on Apple devices. it is either LTI or UDI, ZTI is just not possible

Honored Contributor

I agree, "zero touch," is a misnomer as that would imply you literally did nothing and it auto configured. The user will have to input some things to the device, and they will also have to authenticate (if you have auth turned on). I force a reboot at DEP Enrollment which then prompts the user to enable FV2.

New Contributor II

I believe Zero Touch is intended to be from the IT perspective, of course, the owner has to touch it. but the idea is IT doesn't have to do it for them, or do anything else to it after delivery.

Contributor III

Thankfully Apple seems to have finally caved and now allows for a truly zero touch deployment.