FileVault Enablement with Jamf Connect

You can use Jamf Connect to enable FileVault on computers for administrator and standard local accounts. You can also store the user's personal recovery key at a specified file path.

Keep the following security and user experience considerations in mind when choosing to use Jamf Connect and FileVault on computers:

User Data Protections on macOS 10.15 or later—
To ensure FileVault is enabled and users are not locked out of computers with Jamf Connect, a Privacy Preferences Policy Control (PPPC) configuration profile must be installed on computers with macOS 10.15 or later. You can download this configuration from Jamf's GitHub repository or configure and deploy it with Jamf Pro.
Unintentionally bypassing Jamf Connect—
If Jamf Connect is installed on computers, the default macOS default automatic login behavior with FileVault may prevent the Jamf Connect login window from loading.
Additional login prompts for users—
When FileVault is enabled on a computer with macOS 10.15 or earlier, a login screen is displayed before macOS launches via an extensible firmware interface (EFI). This login screen is built-in at the EFI level or a special boot loader in computers with the T2 chip. The user must enter their FileVault password to unlock the boot drive and launch macOS. Once unlocked, FileVault passes the user's password to the macOS loginwindow application and automatically logs in the user and loads the Finder.

Privacy Preference Policy Control Payload on macOS 10.15 or Later

To enable FileVault settings on macOS 10.15 or later, you must install a configuration profile that configures the Privacy Preferences Policy Control (PPPC) payload on computers. You can upload the profile to an MDM solution manually or configure and deploy it in Jamf Pro.

Deploying Privacy Preference Policy Control Settings with Jamf Pro

To configure and deploy PPPC payload settings with Jamf Pro, complete the following steps:

In Jamf Pro, click Settings in the top-right corner of the page.
In the Computer Management section, click Security.
Click Edit .
Select the Jamf Connect checkbox from the Automatically install Privacy Preferences Policy Control profile settings section.
Click Save .

Uploading Privacy Preferences Policy Control Settings Manually

You can upload a .mobileconfig file directly to your MDM solution or install it locally.

To obtain this configuration profile for upload, see the following from Jamf's GitHub repository: https://github.com/jamf/Jamf-Connect-Resources/blob/master/Jamf-Connect-PPPC-FileVault.mobileconfig

Disabling Automatic FileVault Login

To prevent the macOS login process from skipping Jamf Connect when FileVault is enabled, you can disable automatic login on computers.

The following diagram shows how these settings ensure the Jamf Connect login window is not bypassed during login:

You can disable automatic login on computers by doing one of the following:

Enable the Require Network Authentication (DenyLocal) setting in the Jamf Connect login window configuration profile, which forces the Jamf Connect login window to be displayed and completed by users during the login process.

Upload the following PLIST file using the Custom Settings payload in your MDM solution. Make sure you specify the following preference domain: com.apple.loginwindow

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0">  
  <dict>  
    <key>DisableFDEAutoLogin</key>  
    <true/>  
  </dict> 
</plist>

User Experience and Security

Although security measures, such as FileVault and multifactor authentication (MFA), significantly improve the security of Mac computers, administrators should only implement necessary security features in their environment to ensure a positive end user experience. Excessive security combined with Jamf Connect may result in multiple computer login prompts for users and continuous authentication with the Jamf Connect menu bar app.

Enabling FileVault for Standard Local Accounts on macOS 10.15

Note:

On macOS 11 or later, the Local Administrator Password Solution (LAPSUser) is not required to enable FileVault for standard accounts. A SecureToken is granted to the first local account of any type created on computers.

If you want to use Jamf Connect to create a standard local account that is FileVault enabled on macOS 10.15, you must use the Local Administrator Password Solution (LAPSUser) setting. This setting randomizes an already existing local administrator account password, uses the password to enable FileVault and create a personal recovery key, and then cycles the personal recovery key to become the local administrator password. This results in the configured LAPS administrator account and standard user account being FileVault enabled.

Keep the following in mind about FileVault and standard accounts on macOS 10.15 or later:

The first FileVault enabled user account on a computer cannot be a standard user account. An existing local administrator must be on the computer to use this method.
Only the first created standard account will receive a SecureToken.

To ensure the LAPS User (LAPSUser) setting on ly runs when required, this setting is ignored on computers in the following scenarios:

If any account type logs in with Jamf Connect on computers with macOS 11 or later.
If a local administrator logs in with Jamf Connect on computers with macOS 10.15 or later.

FileVault Enablement with Jamf Connect by macOS Version


Account Type	10.14.x	10.15.x	11.0.x
Administrator	Use the Enable FileVault (`EnableFDE`) setting to enable FileVault for the first user that logs in.	Configure the Privacy Preferences Policy Control (PPPC) payload to manage pre-approval of FileVault enablement. Use the Enable FileVault (`EnableFDE`) setting to enable FileVault for the first user that logs in.	Use the Enable FileVault (`EnableFDE`) setting to enable FileVault for the first user that logs in. Configure the Privacy Preferences Policy Control (PPPC) payload to manage pre-approval of FileVault enablement.
Standard	Use the Enable FileVault (`EnableFDE`) setting to enable FileVault for the first user that logs in. Use the LAPS User(`LAPSUser`) setting to grant a SecureToken to an existing local administrator or management account and standard account.	Use the Enable FileVault (`EnableFDE`) setting to enable FileVault for the first user that logs in. Use the LAPS User(`LAPSUser`) setting to grant a SecureToken to an existing local administrator or management account and standard account. Configure the Privacy Preferences Policy Control Payload (PPPC) to manage pre-approval of FileVault enablement.	Use the Enable FileVault (`EnableFDE`) setting to enable FileVault for the first user that logs in. Configure the Privacy Preferences Policy Control (PPPC) payload to manage pre-approval of FileVault enablement. Note: The LAPS User (`LAPSUser`) is not required. A SecureToken is granted to the first local account of any type created on computers.