FileVault 2 Deferred Enablement - El Capitan

Same here, I posted this a couple minutes earlier: https://jamfnation.jamfsoftware.com/discussion.html?id=17283

I saw this issue with a new image this morning, so it was not caused by an upgrade. It may be an OS defect.

It appears that deferred "at login" mode works for local accounts, but does not trigger at login for Active Directory accounts. This must be an OS defect.

An OS defect around Active Directory accounts?? Inconceivable! Can't be, when has Apple ever done that!?

</sarcasm>

Bumping this in case anyone has gotten it to work with AD/mobile accounts, I am surprised this isn't being talked about much. It's very nearly a showstopper issue for us if we can't force FV to be enabled.

This certainly seems like an OS X bug. I wouldn't be surprised if this doesn't work correctly until 10.11.1 is released.

Has anyone tried this with the latest developer/beta builds of 10.11.1? I'm in no hurry to test it out myself.

I have, and it is still not working on the latest beta.

I just submitted a bug with Apple as well as opened a case with JAMF.

Sorry I missed this .....

Yes it's an Apple bug... it stopped working on the 2nd to last El Capitan beta... I filled with Apple day one of GMC beta...not fixed in X.11.1 either...(yet)

C

Jamf has a defect # too : )

We're kind of seeing this here with El Cap. The user gets the prompts as they're exiting: logging out, shutting down, shutting down to restart. But they are not getting the forced enrollment at login like they do in Yosemite.

The Disk Encryption Configuration shows up in the inventory, but the institutional key is not present, the individual key is unknown, and the state is unencrypted (as expected).

Tested to most recent developer preview.

@Shaffer

Yep deferred next log in doesn't work and deferred next log out only half works : )

If you have a Apple support please open a ticket so we can drive the number of effected machines up, so it get fixed faster : )

C

Edit: how do I delete a post?

Just opened a ticket with Apple, so I'm on the bandwagon :)

Thanks @Shaffer !!!

C

I also have opened a support ticket with Apple.

Sorry about the vague response but... Anyone else have a developer account? Anyone else feeling better about this after yesterday?

I am feeling better about this now, yes.

: ) me too.. still have a few thing to keep testing : )

re: Schaffer Anyone else feeling better about this after yesterday?

What occurred on 10/27 that might have made anyone feel better about this problem? I don't see any updates from Apple on that day.

I am still running into this problem and would like to get clued in as to what might help fix it.

X.11.2 public beta

Thanks, I will have to try it...

Not sure if you guys are aware or not, but I figured I'd let you all know, JAMF has a RADAR open with apple about this issue.

RADAR #22839220

Apple said this in response to my request of the info for that RADAR.

The radar you provided is regarding FileVault 2 deferred enablement does not work on LDAP users, the users did not receive any prompts. 'fdesetup status' will report that FileVault is in "deferred enablement" but logging in will not trigger the FV2 credentials prompt.

Regards,
TJ

Just ran into this issue as well. Glad to see I'm not the only one suffering :P

This does appear to be resolved in the latest 10.11.2 beta. It has been triggering successfully in all my tests.

Great! I hope that the general release is a week or two away.

What setting do you have selected in the Disk Encryption section of your policy? There's another thread, but this all does work if you have "at next logout" selected. Just to be clear, this is separate from the policy trigger. In our testing with Apple and JAMF, only "recurring check-in" and "custom" triggers work to trigger our FileVault policy.

This has been working for us the entire time since El Capitan was released (and before, to be honest.) However, it took us an embarrassingly long time to figure out that simply toggling that setting in the Disk Encryption section was the fix.

Also, we had to add an additional inventory collection policy to occur at next boot so that all of the fields would populate in the JSS. For our purposes, we did this as an additional policy so that it'd only apply to a subset of our Macs and not cause too many Recons. It appears that adding inventory collection to the policy itself when it's configured this way causes inventory collection to get interrupted so the keys, etc. don't get uploaded until the next inventory collection interval. And, depending on your environment, if that next Recon waits too long, they key info actually disappears and can't be uploaded. The other thread isn't sure how long that window is, however.