Issue Description
The intended user account which should enable FileVault has a Secure Token, but FileVault is not enabling at logout or login (depending profile or policy used). When checking the FileVault status we see the following:
fdesetup status
==>
FileVault is Off. Deferred enablement appears to be active for user 'unknown'
FileVault enforcement must have been triggered prior to the user creation (for instance when 'skipping user account creation' in the PreStage for deployments with Jamf Connect Login). It is unclear what really causes this behavior of deferring FileVault enablement to an 'unknown' user, but what is probably happening is that the mbsetupuser becomes the target of the deferral when the profile enforces FileVault, or when an @enrollment policy runs.
Troubleshooting Steps
Fortunately, the fix is easy and straight forward, but all steps need to be performed:
1. First of all, confirm if the intended user (which should enable FileVault) has a Secure Token. If not, fix that first.
sudo fdesetup list -extended
2. Unscope the config profile which is enforcing FileVault, and make sure no Jamf Pro policy is configured to trigger again.
3. Run the following command and confirm there is NO mention of any deferral in the output:
sudo fdesetup disable
which should now return (no deferral active):
FileVault is Off.
Note: Please record the output from the above commands, they will help identify FileVault enabled users if this workflow does not immediately resolve the issue.
4. REBOOT the Mac (mandatory for the deferral cancelation to work).
5. Log in with the correct user and enforce FileVault again via either profile or policy.