FileVault Enablement with Jamf Connect

You can use Jamf Connect to enable FileVault on computers for administrator and standard local accounts. You can also store the user's personal recovery key at a specified file path.

Keep the following security and user experience considerations in mind when choosing to use Jamf Connect and FileVault on computers:

  • User Data Protections on macOS 10.15 or later—To ensure FileVault is enabled and users are not locked out of computers with Jamf Connect, a Privacy Preferences Policy Control (PPPC) configuration profile must be installed on computers with macOS 10.15 or later. You can download this configuration from Jamf's GitHub repository or configure and deploy it with Jamf Pro.

  • Unintentionally bypassing Jamf Connect—If Jamf Connect is installed on computers, the default macOS default automatic login behavior with FileVault may prevent the Jamf Connect login window from loading.

  • Additional login prompts for users—When FileVault is enabled on a computer, a login screen is displayed before macOS launches via an extensible firmware interface (EFI). This login screen is built-in at the EFI level or a special boot loader in computers with the T2 chip. The user must enter their FileVault password to unlock the boot drive and launch macOS. Once unlocked, FileVault passes the user's password to the macOS loginwindow application and automatically logs in the user and loads the Finder.

Configuring a Privacy Preference Policy Control Payload on macOS 10.15 or Later

To enable FileVault settings on macOS 10.15 or later, you must install a configuration profile that configures the Privacy Preferences Policy Control (PPPC) payload on computers. You can upload the profile to an MDM solution manually or configure and deploy it in Jamf Pro:

Uploading Privacy Preference Policy Control Settings Manually

You can upload a .mobileconfig file directly to your MDM solution or install it locally.

To obtain this configuration profile for upload, see the following from Jamf's GitHub repository: https://github.com/jamf/Jamf-Connect-Resources/blob/master/Jamf-Connect-PPPC-FileVault.mobileconfig

Configuring and Deploying Privacy Preference Policy Control Settings with Jamf Pro

To configure and deploy PPPC payload settings with Jamf Pro, complete the following steps:

  1. In Jamf Pro, click Settings in the top-right corner.

  2. In the Computer Management section, click Security.

  3. Click Edit.

  4. Select the Jamf Connect checkbox from the Automatically install Privacy Preferences Policy Control profile settings section.

  5. Click Save.

Disabling Automatic FileVault Login

To prevent the macOS login process from skipping Jamf Connect Login when FileVault is enabled, you can disable automatic login on computers by doing one of the following:

  • Enable the Require Network Authentication (DenyLocal) setting in the Jamf Connect login window configuration profile, which forces the Jamf Connect login window to be displayed and completed by users during the login process.

  • Upload the following PLIST file using the Custom Settings payload in your MDM solution. Make sure you specify the following preference domain: com.apple.loginwindow

    <?xml version="1.0" encoding="UTF-8"?> 
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>DisableFDEAutoLogin</key>
    <true/>
    </dict>
    </plist>

The following diagram shows how these settings ensure the Jamf Connect login window is not bypassed during login:

images/download/attachments/81923507/image.png

User Experience and Security

Although security measures, such as FileVault and multi-factor authentication (MFA), significantly improve the security of a Mac, administrators should only implement necessary security features in their environment to ensure a positive end user experience. Excessive security combined with Jamf Connect may result in multiple computer login prompts for users to access a Mac and continuous authentication with Jamf Connect Sync or Verify.

The following diagram is an example shows how too many security measures at the login window can create a negative user experience.

images/nation-cdn-resources.jamf.com/b360077993ba4e25bca7d8ccded67855

Enabling FileVault Standard Local Accounts

Note: On macOS 11 or later, the Local Administrator Password Solution (LAPSUser) is not required to enable FileVault for standard accounts.

If you want to use Jamf Connect to create a standard local account that is FileVault enabled on macOS 10.15, you must use the Local Administrator Password Solution (LAPSUser) setting. This setting randomizes an already existing local administrator account password, uses the password to enable FileVault and create a personal recovery key, and then cycles the personal recovery key to become the local administrator password. This results in the configured LAPS administrator account and standard user account being FileVault enabled.

Keep the following in mind:

  • The first FileVault enabled user account on a computer cannot be a standard user account. An existing local administrator must be on the computer to use this method.

  • Only the first created standard account will receive a SecureToken.

FileVault Settings

Domain: com.jamf.connect.login

Description: Used to configure how FileVault is enabled with Jamf Connect.

Key

Description

Example

EnableFDE

Enable FileVault

If set to true, FileVault will be enabled for the first user that logs in to a computer.

<key>EnableFDE</key>

<false/>

EnableFDERecoveryKey

Save FileVault Recovery Key

If set to true, Jamf Connect will store the personal recovery key (PRK) in /var/db/NoMADFDE unless otherwise specified.

<key>EnableFDERecoveryKey</key>

<false/>

EnableFDERecoveryKeyPath

Set Recovery Key Filepath

Specifies a custom file path for the PRK rather than using /var/db/NoMADFDE by default.

<key>EnableFDERecoveryKeyPath</key>

<string>/usr/local/filevault</string>

LAPSUser

LAPS User

An existing local administrator account that Jamf Connect can change the password to the personal recovery key.

This setting is only used by Jamf Connect to help enable FileVault for standard accounts on macOS 10.15.x.

<key>LAPSUser</key>

<string>AdminUser</string>

Related Information

For related information about managing authentication with Jamf Connect, see Network and Local Authentication Restrictions.

For related information about macOS Security, see the Apple Platform Security user guide.

For related information about User Data Protections and FileVault, see the following Knowledge Base articles:

For related information about administering FileVault with Jamf Pro, see the Administering FileVault on macOS 10.14 or Later with Jamf Pro technical paper.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.