Access Keys:
Skip to content (Access Key - 0)

Casper - FileVault 2 Encryption

To encrypt your Macs with FileVault 2 follow these steps. Note that all FV2 enabled accounts will now show up at the login screen which may cause some initial confusion for the end user.

To encrypt:

  • Log in to the JSS. Go to computers, then policies. Click New.
    • Give the policy a name, such as "DepartmentName Encryption."
    • Assign a category.
    • Click on Disk Encryption on the left, then configure.
      • Ensure IS&T FileVault 2 is selected from the Disk Encryption Configuration drop-down.
    • Click on Restart Options on the left.
    • Change User Logged in Action to restart immediately.
    • Click on Scope at the top.
      • Assign an appropriate scope, such as "all computers." Otherwise, target individual machines or smart groups.
    • Click on Self Service at the top. This will add the policy to self-service and can then be run at the end users convenience.
      • Check Make the policy available in Self Service.
      • Add a description if desired. You may want to also click the Ensure that users view the description box is checked.
      • Check Feature the policy on the main page. This will ensure users can find it easily.
    • Click on User Interaction at the top.
      • Change the restart message to something like "Your machine will restart immediately. Please save any open work."
    • Click Save.

User Issues

By default, the only account that will be able to unlock the disk will be the user who encrypts the machine. This means the local admin account will no longer be able to log in. There are two ways to fix this:

1. Do it manually on the local machine. In system preferences under Security & Privacy click on FileVault, then click the Enable Users button.

2. Delete and recreate the account with Casper. This will archive any existing files in the account (or delete them if you choose) and create a brand new account with the same name and a password you choose. For this reason it's recommended only to use this for admin accounts with no files that need to be saved. To set up the policy in Casper, follow these steps:

  • Log in to the JSS.
    • You will need to create a smart group that only targets your encrypted machines.
      • Go to Computers > Smart Computer Groups. Click New.
        • Give it a name, such as "FileVault 2 enabled machines."
        • Click on Criteria then add.
        • Select FileVault 2 Status
          • Click the three dots next to value, Select Boot Partitions Encrypted.
        • Click "save."
    • Go to computers, then policies. Click New.
    • Give the policy a name, such as "Recreate admin account for FileVault."
    • Assign a category.
    • Select Recurring Check-in for the trigger. This means the policy will apply within 30 minutes.
    • Click on Local Accounts on the left then click Configure.
      • Select Delete Account and enter the username. If there are no files you need, you can select Permanently delete home directory.
      • Click the plus (+) sign. You will now create an account.
        • Set the Action to Create Account.
        • Fill in the required information.
        • Ensure you check the box for *Enable user for FileVault 2. *You may also want the user to be an administrator.
    • Click on Scope at the top.
    • Click add then select Computer Groups. Select the Smart Group you created earlier.
    • Click save. The old account will be deleted, then added again as a FileVault 2 enabled user.

Access Recovery Key

  • Log in to the JSS
  • Go to Computers.
    • Search for the computer name or serial number in the search box, then click on it.
  • If user doesn't know hostname or serial, go to Users and search for Kerberos ID. Select user and select their machine.
    • Once you have found machine, go to the Management tab at the top.
      • Click FileVault 2 on the left.
      • Click Get FileVault 2 Recovery Key.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

May 03, 2016

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-casper c-casper Delete
endpoint endpoint Delete
management management Delete
casper casper Delete
filevault filevault Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki