Workaround for FileVault in SA for macOS 14.4

zentralopensource · Mar 15, 2024 · c1c64ab · c1c64ab
1 parent 1ba6ddb
commit c1c64ab
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/tests/mdm/test_setup_filevault_command.py b/tests/mdm/test_setup_filevault_command.py
@@ -218,7 +218,7 @@ def test_build_command_awaiting_configuration_true_macos_14(self, sign_payload):
             if sub_payload_type == "com.apple.MCX.FileVault2":
                 self.assertTrue(sub_payload["ForceEnableInSetupAssistant"])
                 self.assertEqual(sub_payload["ShowRecoveryKey"], filevault_config.show_recovery_key)
-                self.assertNotIn("Defer", sub_payload)
+                self.assertTrue(sub_payload["Defer"])  # macOS 14.4 workaround
                 self.assertNotIn("DeferDontAskAtUserLogout", sub_payload)
                 self.assertNotIn("DeferForceAtUserLoginMaxBypassAttempts", sub_payload)
                 self.assertEqual(sub_payload["PayloadIdentifier"], "com.zentral.mdm.fv.configuration")

diff --git a/zentral/contrib/mdm/commands/setup_filevault.py b/zentral/contrib/mdm/commands/setup_filevault.py
@@ -90,7 +90,10 @@ def build_payload(enrolled_device):
     }
     fv_config = config["PayloadContent"][0]
     if enrolled_device.awaiting_configuration and enrolled_device.comparable_os_version >= (14,):
-        fv_config["ForceEnableInSetupAssistant"] = True
+        fv_config.update({
+            "ForceEnableInSetupAssistant": True,
+            "Defer": True,  # macOS 14.4 workaround TODO: re-evaluate later
+        })
     else:
         fv_config.update({
             "Defer": True,