Creating Smart Computer Groups for FileVault

You can use the JSS to create smart computer groups that can be used as the scope of FileVault tasks. FileVault smart computer groups can be based on the following criteria:

  • Computers that are eligible to be FileVault encrypted but are not yet encrypted

  • Computers that are FileVault encrypted

  • Computers that are in a specific FileVault partition encryption state

  • Computers that are not eligible to be FileVault encrypted

  • Computers with an invalid individual recovery key

  • Computers on which a specified user is enabled for FileVault

After creating a smart computer group, you can view its memberships.

Note: You can create smart computer groups based on additional FileVault criteria that are not covered in this guide. For information on all FileVault smart group criteria, see the following Knowledge Base article:
Smart Group and Advanced Search Criteria for FileVault 2 and Legacy FileVault

Creating a Smart Group of Computers that are Eligible to be FileVault Encrypted but are Not Yet Encrypted

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Smart Computer Groups.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. On the Computer Group pane, enter a display name for the group.

  6. To enable email notifications, select the Send email notification on membership change checkbox.

  7. Click the Criteria tab.

  8. Click Add images/download/thumbnails/5832872/New_icon.png .

  9. Click Choose for “All Criteria”, and then click Choose for “FileVault 2 Eligibility”.
    When the criteria is displayed, make sure the operator is set to “is”.

  10. Click Browse images/download/thumbnails/5147079/Browse_icon.png , and then click Choose for “Eligible”.

    images/download/attachments/12979807/Group_Eligibility_Eligible.png

  11. Click Add images/download/thumbnails/5832872/New_icon.png .

  12. Click Choose for “All Criteria”, and then click Choose for “FileVault 2 Partition Encryption State”.
    When the criteria is displayed, make sure the operator is set to “is”.

  13. Click Browse images/download/thumbnails/5147079/Browse_icon.png , and then click Choose for “Not Encrypted”.

    images/download/attachments/12979807/Group_Criteria_Eligible_NotEncrypted.png

  14. Choose “and” from the And/Or pop-up menu to specify the relationship between the criteria.

  15. Click Save.

Group memberships are updated each time computers check in with the JSS and meet or fail to meet the specified criteria.

To view the group’s membership, click View.

Creating a Smart Group of Computers that are FileVault Encrypted

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Smart Computer Groups.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. On the Computer Group pane, enter a display name for the group.

  6. To enable email notifications, select the Send email notification on membership change checkbox.

  7. Click the Criteria tab.

  8. Click Add images/download/thumbnails/5832871/New_icon.png .

  9. Click Choose for “All Criteria“, and then click Choose for “FileVault 2 Status”.
    When the criteria is displayed, make sure the operator is set to “is”.

  10. Click Browse images/download/thumbnails/5832843/Browse_icon.png , and then click Choose for “Boot Partitions Encrypted”.

    images/download/attachments/12979807/DEC_SearchFV2Criteria.png

  11. Click Save.

Group memberships are updated each time computers check in with the JSS and meet or fail to meet the specified criteria.

To view the group’s membership, click View.

Creating Smart Groups of Computers with a Partition in a Specific Encryption State

You can create a smart group of computers with a partition that is in any of the following encryption states:

  • Decrypted

  • Decrypting

  • Encrypted

  • Encrypting

  • Ineligible

  • Not Encrypted

  • Unknown

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Smart Computer Groups.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. On the Computer Group pane, enter a display name for the group.

  6. To enable email notifications, select the Send email notification on membership change checkbox.

  7. Click the Criteria tab.

  8. Click Add images/download/thumbnails/5832871/New_icon.png .

  9. Click Choose for “All Criteria“, and then click Choose for “Partition Name”.

  10. Choose “has” from the Operator pop-up menu.

  11. Type a partition name in the Value field, or click Browse images/download/thumbnails/5832843/Browse_icon.png , and then click Choose for “Boot Partition”.

    images/download/attachments/12979807/Group_PartitionName.png

  12. Click Add images/download/thumbnails/5832839/Add_icon.png .

  13. Click Choose for “All Criteria“, and then click Choose for “FileVault 2 Partition Encryption State”.
    When the criteria is displayed, make sure the operator is set to “is”.

  14. Click Browse images/download/thumbnails/5832843/Browse_icon.png , and then click Choose for the encryption state you want to base the group on.

    images/download/attachments/12979807/Group_EncryptionState.png

  15. Choose “and” from the And/Or pop-up menu to specify the relationship between the criteria.

  16. Click Save.

Group memberships are updated each time computers check in with the JSS and meet or fail to meet the specified criteria.

To view the group’s membership, click View.

Creating a Smart Group of Computers that are Not Eligible for FileVault Encryption

You can create a smart group of computers that do not have an institutional recovery key.

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Smart Computer Groups.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. On the Computer Group pane, enter a display name for the group.

  6. To enable email notifications, select the Send email notification on membership change checkbox.

  7. Click the Criteria tab.

  8. Click Add images/download/thumbnails/5832871/New_icon.png .

  9. Click Choose for “All Criteria“, and then click Choose for “FileVault 2 Eligibility”.

  10. Choose “is not” from the Operator pop-up menu.

  11. Click Browse images/download/thumbnails/5832843/Browse_icon.png , and then click Choose for “Eligible”.

    images/download/attachments/12979807/Group_Eligibility_NotEligible.png

  12. Click Save.

Group memberships are updated each time computers check in with the JSS and meet or fail to meet the specified criteria.

To view the group’s membership, click View.

Creating a Smart Group of Computers with an Invalid Individual Recovery Key

You can create a smart computer group to validate that the individual recovery key on computers matches the key stored in the JSS.

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Smart Computer Groups.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. On the Computer Group pane, enter a display name for the group.

  6. To enable email notifications, select the Send email notification on membership change checkbox.

  7. Click the Criteria tab.

  8. Click Add images/download/thumbnails/5832871/New_icon.png .

  9. Click Choose for “All Criteria“, and then click Choose for “FileVault 2 Individual Key Validation”.
    When the criteria is displayed, make sure the operator is set to “is”.

  10. Click Browse images/download/thumbnails/5832843/Browse_icon.png , and then click Choose for “Invalid”.

    images/download/attachments/12979807/Group_IndividualKey_Invalid.png

  11. Click Save.

Group memberships are updated each time computers check in with the JSS and meet or fail to meet the specified criteria.

To view the group’s membership, click View.

Creating a Smart Group of Computers for Which a Specified User is Enabled for FileVault

You can create a smart computer group to identify the computers for which a specified user is enabled for FileVault.

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Smart Computer Groups.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. On the Computer Group pane, enter a display name for the group.

  6. To enable email notifications, select the Send email notification on membership change checkbox.

  7. Click the Criteria tab.

  8. Click Add images/download/thumbnails/5832871/New_icon.png .

  9. Click Choose for “All Criteria“, and then click Choose for “FileVault 2 User”.
    When the criteria is displayed, make sure the operator is set to “has”.

  10. Enter a username, or click Browse images/download/thumbnails/5832843/Browse_icon.png , and then click Choose for a FileVault 2-enabled user.

    images/download/attachments/12979807/Group_FV2User.png

  11. Click Save.

Group memberships are updated each time computers check in with the JSS and meet or fail to meet the specified criteria.

To view the group’s membership, click View.

Copyright | Privacy | Terms of Use | Security
Copyright JAMF Software, LLC 2016