macOS - MDM and FileVault readiness

Due to history, we use BigFix with an different MDM that predates BigFix MCM. After quite a bit of research, I think I’ve found an actionable path forward to bring our lackadaisical installed base up to full supervised MDM with FileVault and escrowed keys.

Note: This approach may not be applicable if you’re using BigFix MCM.

As a high level overview which might be useful to someone else:

1. Analysis properties to assess hardware, running macOS, and maximum OS upgradability.

2. BigFix action to script profiles status -type enrollment output to a file. Output looks like:

Enrolled via DEP: Yes
MDM enrollment: Yes (User Approved)
MDM server: [REDACTED]

3. BigFix action to script profiles status -type bootstraptoken output to a file. Output looks like:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES

4. Analysis properties that parses the output of these files.
5. WebReports that filter fields from [1] and [4], resulting in CSV lists of machine to match difference scenarios.

The target workpath includes:

1. Can’t be upgraded to Monterey or Ventura? Discard.
2. Not in MDM? Enroll.
3. MDM isn’t (User Approved)? Fix it.
4. Proceed with OS upgrade. (Monterey or Ventura, whichever is maximum)
5. Assess Bootstrap Token escrow. If not escrowed, fix it.

I think this gets us to a point where one can proceed with FileVault via MDM, while maintaining manageability for volume ownership and multiple accounts to function normally.

Informative reading:

• https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/1/web/1.0
• https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/macOS_Platform/GUID-FullDiskEncryptionwithFileVault.html#mdm-bootstrap-token

Note: The above post has been edited to clarify the usecase of using BigFix with an alternate MDM.