Hi Community,
Starting from July 2024 there was an issue regarding the enablement of Keyvault during the setup assitant on macOS. You can read the full article here.
In this article Microsoft mentiones that there is a workaround:
- If you’re experiencing an issue where the device doesn’t prompt to enable FileVault during Setup Assistant, it can potentially be mitigated by:
- Configuring FileVault > Defer setting to be Enabled:
- Instructing users to wait up to 30 minutes after arriving at the account creation screen:
For me these workarounds where not ok, i could live with the deferal settings but not with the 30 minutes wait. I did leave a comment on 19/07/2024 stating that i got this working great, seriously:
However i still had the feeling that some stuff was still unclear, hence the creation of this blog. As per the Mcrosoft doc is stating that there will be a fix in the the November 2411 release of intune i still wanted to share my settings with the community to let you see the configuration and user exprerience for a working feature.
I have configured also Platform SSO with password writeback, this is NOT manadatory but if you want to know how you can set this up check my other article here.
Let’s dive in.
The Intune Setup
The Enrollment program tokens settings
Go to the Intune portal – Devices – Apple – Enrollment program tokens.
Click on the Enrollment program token.
In the Enrollment program token click profiles and select your enrollment profile, in my case MacOS For Password PSSO.
Now click properties and you will see all the settings from your profile. Make sure that under the Setup Assistant section Filevault is set to Show.
That’s it for the Enrollment program tokens settings, let’s proceed to the Filevault policy configuration.
The Filevault policy settings
To configure the Filevault policy go to the Intune portal – Devices- macOS – Configuration – Create – New policy (or edit your current policy)
Select platforn macOS – and the profile type is settings catalog, click create.
Name your policy e.g. Enable Filevault During Setup Assistant – enter a description if you want and click next.
Now pick these Filevault settings exacly as in the screenshot.
When you are ready set the scope tags if you want and assign this policy to a user group and create the policy.
This concluded the Filevault policy setup in Intune.
Let’s go to the user experience.
The User Experience
I have reset my Macbook back to factory defaults so I can show you the full experience. Here are the steps.
Choose your Country or Region and click continue.
Click Continue
Select you WiFi and click continue.
Click Enroll
Enter your Entra ID credentials.
Your device will now enroll.
Create a computer account and click continue.
Now you will see the Filevault key shown on the screen. Click Continue.
Configure Touch ID and click Continue.
Follow any additional steps during the setup assistant untill you land on the desktop. After some time this pop-up appears (This is a platform SSO setting so if you don’t have platform SSO you will not get this). Click on this pop-up.
Now enter your local user password or use touch id.
Enter your Entra ID credentials
Now your device will be registered with Entra.
Sign in again with your Entra ID credentials, this is to setup the password write back to the local account. (Again only if you have platform SSO enabled)
If you see this pop-up appearing you are ready.
Now your device will start syncing with Intune and after a few minutes your Filevault key will show up under your device. To check this go to the Intune portal – Devices – macOS and click your device. you will find the Filevault recovery key under Recovery keys after you click Show.
And that’s it, congratulations you have just enrolled your Mac in Intune and enabled Filevault during the setup assistant. And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
I have verified it’s working without using the 30 minute time out and removing the Defer from the payload.
Hi John, Thank you for verifying this!
Hi Joery,
have a question about multiuser approach and FileVault. I have turned FileVault and it seams it’s not possible to login via multiple users when FileVault is enabled, as you need to provide local credentials first, do you know what should be the approach?
Correct, filevault does not work with multi user. disable enable filevault during setup assistant for a multi user approach.
Hello to the InTune Stuff Team, we wan´t to have a local Admin Account after the customer have doing the enrollment in the entra id with his credentials. is it possible to handle this from intune ?
Thank you very much for your help
Hi Frank, the local account is an admin by default unless you have specified this differently in Intune.
Hello Joery, thank you for your answer but we wan´t to have a separate Admin Account next to the Entra ID Enrollment User on the macOS System. At the End we whant that the End User from the macOS Device have Standard Rights.
this article suggest that filevault is enabled during Setup assistance and the key is displayed immediately?
From my understanding it gets enabled but it technically isn’t active until the user logs off. And then only the key is disabled after a log off/restart?