Centrify DirectControl version 5.1.1 and higher on Mac OS X 10.8 and higherProblem:
The FileVault 2 group policy has been configured and the target AD users has been converted to Mobile Accounts on the desired Mac systems.
The following conditions have also been met for each Mac system:
However, while FileVault is activating correctly on some machines, it is still failing to enable on other machines.
All Mac systems are in the same "Mac Computer" OU, all AD accounts are in the same "Mac Users" OU and the group policy has been confirmed to be successfully downloaded onto the Mac.Cause:
On the working machines, the assigned users were stored as "Firstname Lastname
On the machines where the FileVault GP was not working correctly, the assigned AD users were stored in ADUC as "Lastname, Firstname
". When the AD account name is stored in this format, the group policy fails to recognise that this AD user is the account that will be using FileVault on the Mac and so skips over the instruction to invoke FileVault.Workaround:
- Go to ADUC and navigate to the affected AD account(s)
- Right-click and select "Rename" > Change the name from:
"Lastname, Firstname" to "Firstname Lastname"
- Go back to the Mac and login with the target Mobile Account.
- Logout and the FileVault activation prompt should now appear.
This is fixed as of Centrify Suite 2014.1 / Mac Agent version 5.2.1.
For more information on how to use the FileVault group policy, see: