The end goal with our deployments is that the machine is encrypted, and that IT has access to the machine with or without the user present.
From my understanding this means that the end user needs to have a FV2 enabled account, and the IT account also needs to be FV2 enabled.
So far what we've been doing is enrolling machines through DEP, and using a config profile to enforce FV2 and escrow the key. Then we manually add the IT account as a FV2 user on the machine.
What I would like to do is find a way to script out adding the administrator account as a FV2 user, or at least a very smooth way to run this deployment with minimal IT interaction with the machine so that we can deploy smoothly to remote users as well. Anyone else in a similar situation here that has found a nice solution?
One thought that I had was maybe having a script that is passed the admin creds, and with the jamf dialog requests the user creds, then uses those to enable the admin account for FV2, however I'm not sure of a way to do this without storing creds in the clear somewhere. Any further thoughts here would be appreciated.