Deploying Disk Encryption Configurations

Deploying disk encryption configurations allows you to activate FileVault 2 on computers with macOS 10.8 or later. There are two ways to deploy a disk encryption configuration: using a policy or using Casper Remote.

The event that activates FileVault 2 depends on the enabled FileVault 2 user specified in the disk encryption configuration. If the enabled user is “Management Account”, FileVault 2 is activated on a computer the next time the computer restarts. If the enabled user is “Current or Next User”, FileVault 2 is activated on a computer the next time the current user logs out or the computer restarts. In addition, if you are deploying a disk encryption configuration using a policy, you can configure the policy to defer FileVault 2 enablement until after multiple user logins have occurred.

Requirements

To activate FileVault 2 on a computer, the computer must be running macOS 10.8 or later and have a “Recovery HD” partition.

Deploying a Disk Encryption Configuration Using a Policy

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/15181927/New_icon.png .

  5. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
    For an overview of the settings in the General payload, see General Payload.

  6. Select the Disk Encryption payload and click Configure.

  7. Choose "Apply Disk Encryption Configuration" from the Action pop-up menu.

  8. Choose the disk encryption configuration you want to deploy from the Disk Encryption Configuration pop-up menu.
    Note: Options are only displayed in the Disk Encryption Configuration pop-up menu if one or more configurations are configured in the JSS. For more information, see Managing Disk Encryption Configurations.

  9. Choose an event from the Require FileVault 2 pop-up menu to specify when users must enable disk encryption.

  10. Use the Restart Options payload to configure settings for restarting computers.
    For more information, see Restart Options Payload.

  11. Click the Scope tab and configure the scope of the policy.
    For more information, see Scope.

  12. (Optional) Click the Self Service tab and make the policy available in Self Service.
    For more information, see Self Service Policies .

  13. (Optional) Click the User Interaction tab and configure messaging and deferral options.
    For more information, see User Interaction.

  14. Click Save.

Deploying a Disk Encryption Configuration Using Casper Remote

  1. Open Casper Remote and authenticate to the JSS.

  2. Click Site images/download/thumbnails/15181927/Site.png and choose a site.
    This determines which items are available in Casper Remote.
    Note: This button is only displayed if you have a site configured in the JSS and are logged in with a JSS user account that has full access or access to multiple sites.

  3. In the list of computers, select the checkbox for each computer to which you want to deploy the disk encryption configuration.

    images/download/attachments/14453895/Computers_tab.png
  4. Click the Restart tab and configure settings for restarting computers.
    If you want to perform an authenticated restart on computers enabled with FileVault 2, select Perform FileVault 2-authenticated restart. This is applicable to computers with macOS 10.8.2 or later.

    images/download/attachments/14453904/Restart_tab.png
  5. Click the Advanced tab.

  6. In the list of disk encryption configurations, select the checkbox next to the configuration you want to deploy.
    Note: Disk encryption configurations are only displayed in the list if one or more disk encryption configurations are configured in the JSS. For more information, see Managing Disk Encryption Configurations.
    images/download/attachments/5147270/Casper_Remote_DECs.png

  7. Do one of the following:

    • To immediately perform the tasks on the specified computers, click Go.

    • To schedule the tasks to take place at a specific day and time, click Schedule and choose a day and time. Then click Schedule again.

Related Information

For related information, see the following sections in this guide:

For related information, see the following Knowledge Base article:

Smart Group and Advanced Search Criteria for FileVault 2 and Legacy FileVault
Learn about the smart computer group and advanced computer search criteria available for
FileVault 2.

For related information, see the following Apple Knowledge Base article:

http://support.apple.com/en-us/HT202918
Find out how Mac computers can be used with authenticated restart.

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.