Turning On FileVault with Jamf Connect
- Last UpdatedNov 4, 2024
- 4 minute read
You can use Jamf Connect to turn on FileVault encryption on Mac computers for local accounts. You can also store the user's personal recovery key (PRK) at a specified file path.
This workflow is based on the assumption of the first user being created in Jamf Connect is also the first user to receive cryptographic privileges via SecureToken from macOS, and this workflow should only be deployed when Jamf Connect is provisioning the first user account on the computer.
In Jamf Pro, create a PPPC configuration profile deployed by selecting the Jamf Connect checkbox in Jamf Pro Security settings for FileVault that triggers login or logout events to prompt user and escrow PRK on next inventory update.
In Jamf Connect, use the
EnableFDEkey in the configuration profile. You may want to omit the deprecatedLAPSUserkey as it only applies to macOS 10.15, and is documented as support removed in the requirements.- Deploy a configuration profile for FileVault escrow key to disallow users from turning off FileVault using the following guidelines:
Set the profile to not turn on FileVault.
Use the Jamf Pro profile examples for settings guidance to escrow the PRK and prevent users from disabling it.
For non-Jamf Pro MDMs, you may want to use a FileVault escrow profile, and if needed deploy a profile with the FileVault options payload and the
DontAllowFDEDisablekey.
If you are using Jamf Pro, do the following:
In Jamf Pro, create a PPPC configuration profile deployed by selecting the Jamf Connect checkbox in Jamf Pro Security settings for FileVault that triggers login or logout events to prompt user and escrow PRK on next inventory update.
Note:To turn on FileVault, Jamf Connect requires a Privacy Preferences Policy Control (PPPC) profile on computer with macOS 12 or later.
If a Jamf Connect login window is enabled on computers, the default macOS automatic login behavior with FileVault may prevent the Jamf Connect login window from loading and prompting for network authentication. You can download this configuration from the Jamf Open Source Community jamf / JamfPrivacyPreferencePolicyControlProfiles (GitHub) or configure and deploy it with Jamf.
If you do not have a Jamf Pro license, download the PPPC configuration file at jamf / jamfconnect (GitHub) and deploy it.
In the Jamf Pro Security and Privacy payload, perform the following:
- Select Enable FileVault.
- In the Event to prompt FileVault enablement section, select either At Logout or At Login.
- In the Escrow Personal Recovery Key section, select Escrow PRK.
- Select Disallow users from turning off FileVault.
- Select Escrow the PRK.
To enable FileVault settings on macOS 11 or later, you must install a configuration profile that configures the Privacy Preferences Policy Control (PPPC) payload on computers. You can upload the profile to an MDM solution manually or configure and deploy it in Jamf Pro.
Deploying Privacy Preference Policy Control Settings with Jamf Pro
To configure and deploy PPPC payload settings with Jamf Pro, complete the following steps:
- In Jamf Pro, click Settings in the sidebar.
- In the Computer Management section, click Security.
- Click Edit .
- Select the Jamf Connect checkbox from the Automatically install Privacy Preferences Policy Control profile settings section.
- Click Save .
Uploading Privacy Preferences Policy Control Settings Manually
You can upload a .mobileconfig file directly to your MDM solution or install it locally.
To obtain this configuration profile for upload, see Jamf's GitHub repository: jamf / jamfconnect (GitHub)
To prevent the macOS login process from skipping Jamf Connect when FileVault is enabled, you can disable automatic login on computers.
You can disable Apple's automatic login feature on computers by doing one of the following:
Enable the Require Network Authentication (
DenyLocal) setting. This setting forces network authentication to occur on computers with Jamf Connect login window already enabled, which prevents the Jamf Connect login window password from being bypassed by FileVault.Upload the following PLIST file using the Custom Settings payload in your MDM solution. Make sure you specify the following preference domain:
com.apple.loginwindow<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DisableFDEAutoLogin</key> <true/> </dict> </plist>
Although security measures, such as FileVault and multifactor authentication (MFA), significantly improve the security of Mac computers, administrators should only implement necessary security features in their environment to ensure a positive end user experience. Excessive security combined with Jamf Connect may result in multiple computer login prompts for users and continuous authentication with Self Service+.
| Account Type | 12.0.x |
|---|---|
Administrator | Use the Enable FileVault ( Configure the Privacy Preferences Policy Control (PPPC) payload to manage pre-approval of FileVault enablement. |
Standard | Use the Enable FileVault ( Configure the Privacy Preferences Policy Control (PPPC) payload to manage pre-approval of FileVault enablement. Note: The LAPS User ( |