Leveraging FileVault 2 on Casper

So Lachlan posted a script to leverage Filevault 2 in Casper. I too agree, while Casper can do encryption and captures the key, the way it goes about it for end users is just not the most desirable.
I have tested the script and I really liked it, simple and to the point so I decided to contribute a simple step by step tutorial to it.

The script is available on github
Step 1
Create the encryption setup in JSS by going into Management Settings under Computers and Clicking on Disk Encryption Configurations

Screen Shot 2014-10-13 at 4.59.45 PM

In Disk Encryption, Click New and Enter a name for the configuration

I recommend selecting Individual for your Recovery key type so that it is unique to each user but you can use institutional key (All depends on your privacy settings)

Important: By Default, Enable Filevault 2 User option is set to Management account, you want to change that to Current or Next User

Screen Shot 2014-10-13 at 5.00.48 PM

Once you are done Click Save

Now that we have our Filevaut settings, we will setup a policy to make use of it

Go into Policies and Create a new Policy

No Triggers(Leave all triggers unchecked) but set the frequency to Ongoing

Screen Shot 2014-10-13 at 5.11.02 PM

Select Disk Encryption on the left side and set it to Apply Disk Encryption configuration (Your other option is to issue a new key and that is not what we are doing), Make sure the previously created setting for Disk Encryption is selected under (If you only have 1 then it will be set by default)

Screen Shot 2014-10-13 at 5.11.35 PM

You can set the scope to All computers (Since no trigger is enabled, No machines will be receiving a prompt for encryption— All is Well)

Screen Shot 2014-10-13 at 5.11.55 PMNow We are done with this configuration policy and we want to save it

Once you save it, the URL will slightly change and now display an id number, record it i.e:https://blabla.bla :8443/policies.html?id=124&o=r

So we know our policy id is 124, so let go work on the last piece of the puzzle

Go into Smart Groups so we can scope all the macs we would like to encrypt

Use the criteria as follow:

FileVault 2 Eligibility is Eligible (We need machines that actually support the feature)

FileVault 2 Status is not …………. (I leave this option as some folks may have more than just one partition)

FileVault 2 Partition Encryption State is not Encrypting

Screen Shot 2014-10-13 at 5.25.43 PM

Now that we have our smart Group, we will go setup the FileVault Helper (Thanks Lachlan)

Go back into Management Settings, but this time select Scripts

Click new and name your script (for reference just use FVHelper.sh)

On the script tab, Paste the code from github:Here

Before saving the script, we need to make a few changed on Line 13 and 14

Line 13 is for a list of account this should skip i.e admin, administrator etc

Line 14 is the policy id we wrote down earlier (124) or whatever the number is for you and now Save

Finally, We go into Policies to setup a FVHelper Policy

Set the trigger for Login

I would set the frequency for Once Every Day (It’s up to you, but once the policy runs that machine will no longer be in the scope)

Select the script on the left and select the FVHelper.sh script we setup

The scope of this policy will be the previous Smart Group we created

Screen Shot 2014-10-13 at 5.39.05 PM

That’s it and now we Save

When a non skipped user on a machine that felt within our scope logs in, the user will see the following message

Screen Shot 2014-10-13 at 5.45.50 PM

I hope this walkthrough helps anyone trying to get this going.

Lachlan had added defer mode, which imposes encryption on the end user after such amount is reached. I will provide updated screenshots soon.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s