How do I use FileVault encryption with Jamf on a Mac?

Introduction

To allow Jamf Pro to manage your FileVault encryption, you will need to enroll your Mac with Jamf Pro, approve its MDM status, and tell it to "Manage My FileVault".

"Manage My FileVault" entails the following:

• Enable FileVault
• Escrow FileVault
• Recovery Key
• Prompt User to Re-issue Recovery Key when found to be invalid
• Prompt User to Re-Enable FileVault when found to not be enabled

Enrollment

Enrollment can happen in two ways. If your Mac is running macOS 10.14 or 10.15, a small PKG installer can be run to install the jamf agent and the MDM Profile. On macOS 10.14, 10.15, and 11.0+, a web enrollment process must be performed to install the MDM Profile, and then the jamf agent.

Prerequisites

1. A Mac running macOS Mojave (10.14), Catalina (10.15), or Big Sur (11.0).
2. A user account on that Mac with administrative privileges and a SecureToken.

Assumptions

1. The Mac being encrypted and managed is not managed by any other MDM server.
2. The Mac is not being managed by Jamf Pro by an IT admin/organization signed onto the UIC Tech Solutions Endpoint Management service (EPM).

Checking if your account has a SecureToken

If your user account on your Mac was created during device setup, or was added manually by the account created during device setup, your account likely has a SecureToken and you can skip this section.

1. Open Terminal.app
2. Run sysadminctl -secureTokenStatus your_username_goes_here
3. Enter your password
4. Ensure the output contains "SecureToken is ENABLED"

PKG Enrollment

1. Obtain the FV_QuickAdd.pkg package from TDX.
2. Double click the FV_QuickAdd.pkg file. You might be asked if you're sure you want to open this file. Confirm that you do.
3. Click Next, then Choose your boot volume as an install target.
4. Click Next twice, then wait for the installation to finish.
5. After the installation is finished, open System Preferences, Profiles. If no Profiles pane exists, quit System Preferences, wait a few moments, and try again.
6. Find the Profile named "MDM Profile" in the left-hand column.
7. Click MDM Profile, then click "Approve".

Web Enrollment

NOTE: We will need to figure out a way to securely dole out access to Enrollment Only privileges within Jamf, likely through some TDX Form.

0. Open a web browser and navigate to https://jamf.uic.edu:8443/enroll
1. Enter your netID and password.
2. If prompted to choose a Site, choose "None". Choosing any other site might result in unintended software changes and data loss.
3. Download the CA Certificate Profile.
4. Open System Preferences and open the Profile pane. Click Install on the CA Certificate Profile.
5. Go back to the web browser, and an MDM Profile will download.
6. Perform the same action as in step 5 for the MDM Profile.
7. The web browser will update to show "The Enrollment Process is Complete"

Enabling "Manage My FileVault"

1. Open Software Center.app in /Applications. This application was installed by Jamf Pro during enrollment.
2. Find the "Manage My FileVault" item in the Featured or Security categories, or search for it.
3. Click "Manage". A short process will take place, after which, you should see a prompt telling your your Mac will reboot in 1 minute.
4. Logout or Reboot your Mac. You will be prompted to enable FileVault, click OK. You may be asked for a password; you should input the same password you use to login to your Mac.

I'm Locked Out of My Mac

Requesting the Recovery Key

• Contact us

Using the Recovery Key

1. Boot your Mac normally.
2. Click the Question Mark button in the password field at the FileVault login screen (typically the first screen you see after the Apple Logo during boot). For Apple Silicon Macs, this process is slightly different.
3. Click the arrow next to "Reset using your Recovery Key".
4. Enter the recovery key.
5. Wait until your Mac boots, then login. If you have forgotten your password, follow the instructions here.