cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Resolved: Known issue for FileVault configuration profiles on macOS devices
By
Intune_Support_Team
Published Aug 05 2019 10:58 AM 22.5K Views
Intune_Support_Team
Microsoft
‎Aug 05 2019 10:58 AM

Resolved: Known issue for FileVault configuration profiles on macOS devices

‎Aug 05 2019 10:58 AM

Updated 12/19/19 - This is now resolved!

We’ve noticed an issue with a setting when configuring FileVault settings for macOS devices within Device Configuration. This may cause FileVault profiles to not deploy as intended depending on how the settings are configured. Were sharing a workaround here until this is fixed in a future release.  

 

When Disable prompt at sign out is Not configured, the Number of times allowed to bypass can be set to any value. The screenshot below is a working scenario.  

 

fv1.png

 

When Disable prompt at sign out is set to Enable, the Number of times allowed to bypass must be set to a value other than Not configured, as shown in the screenshot below.  

 

fv2.png

 

The scenario below will not work because Disable prompt at sign out is enabled, and Number of times allowed to bypass is set to Not configured. The FileVault profile will not be deployed to devices and reporting will show an error.  

 

fv3.png

We’ll update this post as this is fixed in the console in an upcoming release! 

 

Blog post updates:

  • 12/19/19 with an update that this is now resolved.
6 Comments
MaxM
Brass Contributor
‎Aug 05 2019 01:07 PM
‎Aug 05 2019 01:07 PM

Thanks. I was having this problem and it is solved with the bypass setting.

 

Another issue is, as I commented on the other blog post, that when enabling FileVault the recovery key is shown to the user and they are instructed to "keep it in a safe place." I do not want the user to store the recovery key anywhere, especially given some users will store it with the laptop. If the key is needed it should be retrieved from Intune.

 

My ask is that the ShowRecoveryKey FileVault2 payload option be made available in the Intune FileVault configuration profile so that it can be set to False, so that the recovery key will not be displayed to the user.

 

Here is the relevant part from Apple's reference:

ShowRecoveryKey: Set to false to not display the personal recovery key to the user after FileVault is enabled. Defaults to true.

 

Intune_Support_Team
Microsoft
‎Aug 06 2019 10:19 AM
‎Aug 06 2019 10:19 AM

Hi @MaxM,

Our PM Anya Novicheva had responded back to your comment in the Intune macOS FileVault Announcement blog that the current architecture allows various ways for the end user to access their recovery key including from the Intune web Company Portal.

 

We value your feedback! Can you elaborate on your feedback by posting an idea over at our: UserVoice?

0 Likes
Like
MaxM
Brass Contributor
‎Aug 06 2019 11:48 AM
‎Aug 06 2019 11:48 AM

@Intune_Support_Team Yep, I was planning to open a UserVoice item for it today actually. FileVault and macOS are a niche area for Intune though, so I doubt it'll get much support. I submitted DCR 138149908 for it yesterday too.

0 Likes
Like
MaxM
Brass Contributor
‎Aug 06 2019 02:55 PM
‎Aug 06 2019 02:55 PM

@Intune_Support_Team Here's the UserVoice item I created for this feedback:

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/38319730-add-option-to-set-mac...

0 Likes
Like
Miguel Sanabia
Brass Contributor
‎Aug 07 2019 06:35 AM
‎Aug 07 2019 06:35 AM

@Intune_Support_Team  in our organization we have it set like whats being mentioned here.  Most if not all were prompted to enable FileVault and complete the task.  So we now have several who are fully encrypted.  My question is, should we leave bypass as 'Not Configured' or set it to '1'.

 

We see several errors in the state details and unsure if that is related.    Also, by setting it from Not Configured to 1 - would anyone who is already enabled by impacted.??

2019-08-07_9-30-39.jpg

0 Likes
Like
AnyaNovicheva
Microsoft
‎Aug 08 2019 11:08 AM
‎Aug 08 2019 11:08 AM

@Miguel Sanabia Thank you for your feedback! If this configuration worked for your devices, then I recommend leaving it as is. The error messages in the state details are most likely attributed to this configuration and the device giving Intune back an unknown error. If you change any of the setting configurations, such as changing the Not configured to 1, already encrypted devices will not be impacted. Your devices that were not fully encrypted will most likely become encrypted. In general, already encrypted devices will not be impacted by any of the settings in the profile changing configuration. 

0 Likes
Like
Version history
Last update:
‎Dec 19 2019 10:48 AM
Updated by: