Using some of the scripts I’ve mentioned I created a policy to enable FileVault encryption with a button in Self Service. In macOS 10.15 Catalina a new feature called the Bootstrap Token was introduced, which gives a newly created AD mobile account Secure Token access delivered from the MDM. This gives permissions to enable FileVault without a user who initially set up the computer standing over someone’s shoulder to input a password.
The policy is set up in a few parts. There is a one policy to enable encryption, a static group to which that policy is scoped, a profile to lock the FileVault pane in System Preferences, and a Self Service policy to kick it off.
The Self Service policy itself is simple. First it adds the computer to the static group, then it runs the the encryption policy by its custom trigger. The profile to lock the FileVault pane in System Preferences scoped to the static group.
This method does require a user to log out and then log back in for it to enable encryption, but with new T2 based systems the encryption is instant. Newer pre-T2 systems on SSD are pretty quick as well.
adam argyle 