Skip to main content

I'm currently testing out Catalina on a VM. I have the Security & Privacy MDM profile deployed to it with the setting enabled to require FileVault.



When I reboot the VM, I am prompted for my password. It says that it will enable FileVault, but it never does - the Mac just reboots and then I go through the same process all over again.



If I enable FileVault through the local Mac settings it works fine.



Is anyone else having this issue? Any idea why the MDM setting is not enabling FileVault?

Yes, same result with a real computer (Mid-2014 Retina). It keeps asking for the password (at logout) after each reboot and Filevault is never enabled. It's working fine if enabled manually through the Security pane.


I do see that 10.15+ requires user approved MDM for FileVault according to https://developer.apple.com/documentation/devicemanagement/fdefilevault



My VM does have user approved MDM. I have also tried removing/re-applying the configuration profile after this was approved, but I have the same result.


Same here, also a policy to enable at logout doesn't seem to work. I changed the policy to enable at login which fixed the issue.
I did some further testing today using (custom) configuration profiles to enforce at login/logout because Jamf does not have support for all MDM keys/values for FileVault:
- Force at logout: FileVault not enabled
- Force at logon: FileVault enabled!



Filed a bugreport with Apple for this.



For those interested I was able to enforce with the following payload content in the mobileconfig:



<key>Defer</key>
<true/>
<key>DeferDontAskAtUserLogout</key>
<true/>
<key>DeferForceAtUserLoginMaxBypassAttempts</key>
<integer>0</integer>
<key>Enable</key>
<string>On</string>
<key>PayloadDisplayName</key>
<string>FileVault 2</string>
<key>PayloadIdentifier</key>
<string>com.apple.MCX.FileVault2.84537EBB-ED32-4231-8776-F3EB98C72F96</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.MCX.FileVault2</string>
<key>PayloadUUID</key>
<string>84537EBB-ED32-4231-8776-F3EB98C72F96</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ShowRecoveryKey</key>
<true/>
<key>UseRecoveryKey</key>
<true/>

We also are having this issue - its a huge bummer. Waiting until login to enable really breaks our automated enrollment flow. What's the bug report ID with apple?


@gtucker: that is FB7361976


@jordy.witteman thanks!


We had this behaviour also with non Catalina Macs from time to time in the past and never found a solution. Did not try to change it to logon instead of logoff (which we used).


@jordy.witteman is enabling FileVault via a Config Profile considered "Best Practice" now rather than using the Disk Encryption Configuration deployed via a Policy??


@sslavieroGSMA Normally I'd prefer a config profile over a policy. But given the fact that Jamf has currently no support for DeferDontAskAtUserLogout and DeferForceAtUserLoginMaxBypassAttempts in the Security & Privacy configuration profile UI, the easiest for now seems to use a policy with 'At next login' selected.


OK - So if I use ProfileCreator to create a Config Profile of your settings you mention above > upload that into Jamf as a Config Profile (or should I export as a Plist file and upload into a CP?).



And still have:
Config Profile --> Security & Privacy: Require FileVault 2 + Escrow Recovery Key
Policy with Disk Encryption: At Next Login



So kinda a 3 part process??


@sslavieroGSMA No I mean the setup below was sufficient in my testing:
- Config profile: require FV2 + escrow
- Policy with Disk Encryption: At next login



If you’d want to use config profile without the policy, then the custom settings are needed. I also used ProfileCreator to do this. Sorry if this wasn’t clear before :)


Our Jamf support rep sent me this thread. Has anyone seen Macs that fail to recognize any passwords or PRKs midway through the upgrade to Catalina?


I've seen this behavior of FileVault not enabling despite seeing the screen and all when the user is not SecureToken enabled.



sysadminctl -secureTokenStatus "$(whoami)"


The difference with enabling via the System Prefs GUI is that it'll prompt for credentials and grant you a SecureToken (this is only possible if there is no other SecureToken user on the system) perhaps however the VM was set up it didn't grant it to your user?



If no other user is SecureToken enabled then you can grant it to yourself (there's a way to use stdin but I am too lazy to figure out the tortured syntax Apple makes you use):



sysadminctl -secureTokenOn "${username}" -password "${password}" -adminUser "${username}" -adminPassword "${password}"

This seems to have started working again after the Catalina Supplemental update... curious if others can verify this.


Hmmm how can I test on a fresh laptop....... does an internet recovery download the supplemental update too?


Unfortunately I am still seeing the same behaviour and FV not being enabled on a fresh install of 10.15 with the supplemental update (19A602). It is definitely no issue with SecureToken as this was enabled for the user I was testing with.



@SfarraCap What was your config when you had FV enabled with the supplemental update?



@Cayde-6 I guess it would, in my case I used the following to download a fresh installer that included the update for my VM



softwareupdate --fetch-full-installer --full-installer-version 10.15

@Cayde-6 I actually tested it on a fresh install (With Supplemental Update Installed) as well and still nada!


Yeah, can confirm the supplemental catalina update (10.15.0 19A602) did not resolve this issue yet.


Same here with a fresh Catalina 10.15.1 VM enrolled via DEP (so UAMDM is all good) - SecureToken is there for the user account as well, but no FileVault enablement (although it tries to do it on each logout)...


In my scenario, I was able to resolve it by changing the trigger to "Login" instead of "Logout" and noticed that it was giving me a message about talking Volumes:



Enabling FileVault on your Machine

The initial set-up may take a few minutes. The FileVault recovery key will be displayed when FileVault is ready. This may show up after this user logs out.


Its then followed by:



There was a problem enabling FileVault on your computer.
You should use System Preferences Security & Privacy to view or change FileVault.


On this machine in particular once glanced at Disk Utility I quickly noticed that there was a separate volume listed. Since this was a TESTER any way I booted into recovery mode deleted that volume as well as the main Macintosh_HD volume and started from scratch.



Once it was enrolled, the user was promoted at login and the machine encrypted as intended, and much cleaner I might add as the the recovery key now is never shown to the user.


Looks like this is broken for enabling FV on logout. I ran a policy to enable at login and that worked.


Problem is that a configuration profile only has the logout option for deferred.



Policy isn’t an issue by the sounds of it


@Cayde-6 see jordy.witteman post in the beginning of this thread. You can created a profile that forces on login with deferred.



C


Hi @jordy.witteman , how am I doing to see the progress of the problem ID FB7361976 at Apple? Do you have a link? Thank you.


We see similar issues, reported to Apple Enterprise Support who are aware of the problem


Reply