FileVault with MDM commands fails

What is the proper payload for the FDEFileVault?

Do I need to provide a user password in the payload to proceed with turning on the FileVault? Isn't that a privacy issue?

Why UserEntersMissingInfo does not work for me?

How to properly turn off FileVault - every try failed?

Below I attach tested payloads and results.


Test 1:

Enable: "On"

Result 1:

Error

ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.

Test 2:

Enable: "On"
Username: "username on a device"

Result 2:

Error

ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.

Test 3:

Enable: "On"
Username: "username on a device"
Password: "password of the user"

Result 3:

Success: FileVault turned On


Test 4: After previously turning On FileVault successfully after restarting a machine.

Enable: "Off"

Result 4:

Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.


Test 5:

Enable: "On"
UserEntersMissingInfo: True

Result 5:

Error

ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.

Test 6:

Enable: "On"
Username: "username on a device"
UserEntersMissingInfo: True

Result 6:

Error

ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.

Test 7: This is example payload from: https://developer.apple.com/documentation/devicemanagement/fdefilevault#Profile-Example

Defer: True
Enable: "On"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False

Result 7:

Success: FileVault turned On


Test 8: Same as test 4, but after turning on like test 7.


Test 9:

Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False

Result 9:

Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.


Test 10:

Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True

Result 10:

Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.


Test 11:

Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True
DeferForceAtUserLoginMaxBypassAttempts: 0

Result 11:

Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.


Test 12:

UserEntersMissingInfo: True
Enable: "Off"
Username: "username on a device"

Result 12:

Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.


Per the documentation:

Enable: (Required) Set to On to enable FileVault and set to Off to disable FileVault. Payloads set to On sent through MDM need to either include full authentication information in the payload or have the Defer option set to true.

This payload supports manual non-MDM interactive installation of this profile payload as a .mobileconfig file, which is where you'd use the UserEntersMissingInfo key.

When delivering with MDM, however, it is expected you're using Defer with true and/or the ForceEnableInSetupAssistant key (in macOS 14 or later) or providing both username and password information.

In the majority of cases, it is not expected you will be providing username and password. Those are expected to be used for service or automated device scenarios where an already created service user with a known password that either a.) has a secure token or b.) can become secure token enabled (as no other user has one yet) is already present on the device at time of payload delivery.

For more details about secure token enabled users, when and how that happens, and its relationship to FileVault on macOS, see the following documentation:

Apple Platform Deployment: Use secure token, bootstrap token, and volume ownership in deployments

Apple Platform Security: Volume encryption with FileVault in macOS

As with enablement, disabling also requires valid credentials capable of performing that action (the same as those you might type into Settings when turning FileVault off interactively).

If you feel that, given the information above, you've met the requirements for a FileVault payload to succeed and you're still not seeing success, please:

  • Re-attempt deploying the payload to a Mac, note the time, and then collect a sysdiagnose from the Mac after it fails
  • Submit the sysdiagnose and your collected details in a Feedback using Feedback Assistant while signed in with an Apple Account associated with your organization's Developer account

and we will attempt to follow up once we receive that information.

FileVault with MDM commands fails
 
 
Q