Enabling or Disabling a Local Account for FileVault

When you create a new account, you can enable the account for FileVault. You can also disable an existing account for FileVault.

Requirements

To enable a new account for FileVault, the computer must have OS X v10.11 and have an existing, valid individual recovery key that matches the key stored in the JSS.

To disable an existing account for FileVault, the computer must have OS X v10.11.

Enabling a New Local Account for FileVault

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Policies.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. In the General payload, enter a display name for the policy. For example, “Add Local Account for FileVault“.

    images/download/attachments/12979842/DEC_Policy.png
  6. Select a trigger and execution frequency.

  7. Select the Local Accounts payload and click Configure.

  8. Choose “Create Account” from the Action pop-up menu.

    images/download/attachments/12979842/LocalAccounts_CreateAccount.png
  9. Specify the required information for the local account, including the username, full name, password, and home directory location.

  10. Select the Enable user for FileVault 2 checkbox.

    images/download/attachments/12979842/LocalAccounts_EnableforFV2.png
  11. (Optional) Select the Maintenance payload and then select the Update Inventory checkbox so that the FileVault-enabled status for the user is updated in inventory immediately when the policy runs.

  12. Click the Scope tab and configure the scope of the policy.
    Note: If applicable, you can use the smart computer group you created in “Creating a Smart Group of Computers that are FileVault Encrypted” as the scope for the policy.

    images/download/attachments/12979842/Scope.png
  13. Click Save.

The policy runs on computers in the scope the next time they check in with the JSS and meet the criteria in the General payload.

Disabling an Existing Local Account for FileVault

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Policies.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. In the General payload, enter a display name for the policy. For example, “Disable Local Account for FileVault“.

    images/download/attachments/12979842/DEC_Policy.png
  6. Select a trigger and execution frequency.

  7. Select the Local Accounts payload and click Configure.

  8. Choose “Disable User for FileVault 2” from the Action pop-up menu.

    images/download/attachments/12979842/LocalAccounts_DisableforFV2.png
  9. Enter the username of the user you want to disable for FileVault.

  10. (Optional) Select the Maintenance payload and then select the Update Inventory checkbox so that the FileVault-enabled status for the local account is updated in inventory immediately when the policy runs.

  11. Click the Scope tab and configure the scope of the policy.
    Note: If applicable, you can use the smart computer group you created in “Creating a Smart Group of Computers for Which a Specified User is Enabled for FileVault” as the scope for the policy.

    images/download/attachments/12979842/Scope.png
  12. Click Save.

The policy runs on computers in the scope the next time they check in with the JSS and meet the criteria in the General payload.

Copyright | Privacy | Terms of Use | Security
Copyright JAMF Software, LLC 2016