Skip to main content

Our FileVault 2 encryption policy is scoped to devices that are not already encrypted, however it seems that the new MacBook Pros (and possibly iMac Pros, but we don't have any to test) are being seen by Jamf as already encrypted, even when FileVault is off. I suspect this is because the disk is, technically, already encrypted by the T2 chip hardware. While this would prevent the drive from being accessed if removed from the computer, without FileVault also enabled it doesn't prevent the disk from being unlocked without a password while still inside the machine. Apple certainly recommends enabling FileVault, even on T2-capable Macs:



https://support.apple.com/en-us/HT208344



Anyone else have a workaround for this, to get T2-equipped Macs with FileVault disabled to be seen by Jamf as unencrypted?

For what it's worth, I've created this Extension Attribute to determine if an iBridge is present. From there, a Smart Group could be created, against which a more aggressive FileVault policy could be scoped:



#!/bin/bash



IBRIDGE="$(/usr/sbin/system_profiler SPiBridgeDataType | /usr/bin/grep 'Model Name')"



if [[ "${IBRIDGE}" == "" ]] ; 

then

    /bin/echo "<result>None</result>"

else

    /bin/echo "<result>${IBRIDGE}</result>"

fi



exit 0


Script will return "None" for Macs with no iBridge, "Model Name: Apple T1 chip" for Macs with a T1 chip (such as the 2016/2017 MacBook Pro with TouchID), or "Model Name: Apple T2 chip" for Macs with a T2 chip (such as the 2018 MacBook Pro). EDIT: see @brunerd's post below, return values may be different depending on language localization and OS version.

(edit: removed duplicate post)

We're also adapting to this change.



Thanks for the EA! It's a good start, but ideally Jamf will use a different mechanism when detecting "FileVault 2 Partition Encryption State", given that this title is no longer accurate for T2 Macs.

I think they are aware of the issue, my Jamf rep asked for more details in reference to PI-006109.

I was able to find @rtrouton 's Extension Attribute that detects APFS Encryption Status. This appears to be a decent value to base our policies on for T2 equipped Macs.

An observation about the SPiBridgeDataType in system profiler: it will localize the word "chip"
So don't get too specific in your Smart Group criteria, like "T2" will suffice.



Also sorta interesting is that 2016 MacBook Pros with Touch ID will report "iBridge" in 10.12 but "Apple T1 chip" in 10.13...
I guess they realized they needed snappier branding that ditched the "i" going forward.



As for the EA, it works well enough for now for me, to say if they have a "T2" yet the Filevault Key Validation is "Unknown" then they are not encrypted. I really didn't want to add another EA for encryption status, I'm hoping it can just be a part of JSS 10.6.1 🙏

Thanks @brunerd, good to know about localization and the different values returned by Sierra vs. High Sierra. I agree that having the Smart Group to do a "like" match for just the "T2" substring makes sense. Using "Filevault Key Validation" is a neat trick, for my environment we already had another EA that returns the value of fdesetup status so I just looked for a match of "FileVault is Off" to get my list of unencrypted devices.

@brunerd you're just checking that they don't have a filevault key (personal or institutional) AND have a T2 (iBridge)? Right?

I had a whole post about how I'd gotten a new T2 laptop to test with, then it turns out the tech who gave it to me, gave me a "Brand New" MacbookPro 2017 (fresh outta the cellophane from CDW) and I wasn't seeing that it was showing as encrypted out of the box... but then yeah it was a macbookpro14,2 not a macbookpro15,2 or 1 – DOH!



@cwaldrip Right - I have a Smart Group matching if they have a T2 and their Encryption Key (we only use Personal) is Unknown

Reply


Terms & ConditionsCookie settings