Posted on 23rd August 2017 by Darren Wallace

Profile to enable FileVault 2 only

filevault

Hey all, I’m on a bit of a profile binge at the moment, so bear with me.

In my last blog I discussed how to sign a configuration profile and used the example of trying to force FileVault 2 enablement, without locking out the rest of the Security & Privacy System Preferences pane. Time to put my money where my mouth is!

Gimmie, gimmie, gimmie!

The profile can be found on our Amsys profile GitHub Repo and has been tested on 10.12.x so make sure to test in your environment!

How’s it look?

In case you’re wondering, this is how it looks:

Profile to Enable FileVault 2 only general security

Profile to Enable FileVault 2 only filevault

No other settings blocked for the user at all!

A few words of warning…

If your MDM solution tries to alter the profile once uploaded, you will need to sign it before you upload it (as outlined in my last post).

Also, as you’re using a more surgical method for something that already exists in a GUI option, you should not use the any of the GUI ‘Security & Privacy’ payload options for profiles on the same devices you use this profile on. If you do, there will almost certainly be conflicts and ‘undefined’ issues will occur. You have been warned!

Summary

Ah, a short and sweet blog for today. As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.