Deploying the Disk Encryption Configuration

After creating a disk encryption configuration, use a policy to deploy it to activate FileVault.

The event that activates FileVault depends on the enabled FileVault user specified in the disk encryption configuration. If the enabled user is “Management Account”, FileVault is activated on a computer the next time the computer restarts. If the enabled user is “Current or Next User”, FileVault is activated on a computer the next time the current user logs out or the computer restarts. In addition, if you are deploying a disk encryption configuration using a policy, you can configure the policy to defer FileVault enablement until after multiple user logins have occurred.

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Policies.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. In the General payload, enter a display name for the policy. For example, “FileVault Disk

  6. Select a trigger.

  7. Choose “Once per computer” from the Execution Frequency pop-up menu.

  8. Select the Disk Encryption payload and click Configure.

  9. Choose “Apply Disk Encryption Configuration” from the Action pop-up menu.

  10. Choose the disk encryption configuration from the Disk Encryption Configuration pop-up menu.

  11. Choose an event from the Require FileVault 2 pop-up menu to specify when users must enable disk encryption.

  12. If “Management Account” is selected as the enabled FileVault user in the disk encryption configuration, do the following:

    1. Select the Restart Options payload and configure restart settings for the computer.

    2. (Optional) If you are using the Casper Suite v9.63 or later, select Perform authenticated restart on computers with FileVault 2 enabled to allow computers with OS X v10.8.2 or later that are FileVault enabled to be restarted without requiring an unlock the next time the computer starts up.
      For this to work on computers with FileVault activated, the enabled FileVault user must log in after the policy runs for the first time and the computer has restarted.

    3. (Optional) Click the User Interaction tab and customize the restart message displayed to users.

  13. Click the Scope tab and configure the scope of the policy.


    Note: It is recommended that the scope of this policy includes a smart group with computers that are FileVault eligible, but are not yet encrypted. For information on how to create this smart group, see Creating Smart Computer Groups for FileVault.

  14. Click Save.

The policy runs on computers in the scope the next time they check in with the JSS and meet the criteria in the General payload.

Copyright | Privacy | Terms of Use | Security
Copyright JAMF Software, LLC 2016