If the encryption is deployed using Robot Cloud we have the ability to add your centralized admin account to the FileVault users list. If encryption is not deployed using Robot Cloud then we are unable to affect change on the FileVault users list. This is due to security restrictions that Apple has implemented in FileVault.
In order to add a user programmatically we must have 2 things:
- The username and password for an account already authorized.
- The username and password for an account you wish to add.
The reason we can do this if encryption is deployed using Robot Cloud is that the Robot Cloud daemon user is added to the FileVault users list at the time of encryption. This takes care of the first requirement. Then, since the centralized admin account is also being deployed using Robot Cloud we have the credentials for the second requirement as well. In a manual encryption or encryption using a different third-party tool, we're unable to modify the FileVault user list per Apple's security framework and you have to go into System Preferences and add the account manually.
Please contact us if you're interested in using Robot Cloud to enforce encryption or offer encryption in Self Service!