Add dontAllowFDEDisable to FileVault config profile template (#10941)

2026-05-23 08:58:41 +00:00 · 2023-04-03 14:22:41 -05:00 · 2023-04-03 14:22:41 -05:00 · 750d64ccca
commit 750d64ccca
parent 4c4891a711
2 changed files with 13 additions and 0 deletions
--- a/changes/issue-10788-dont-allow-fde-disable
+++ b/changes/issue-10788-dont-allow-fde-disable
@ -0,0 +1 @@
+- Updated FileVault configuration profile to disallow device user from disabling full-disk encryption. 
--- a/ee/server/service/mdm_profiles.go
+++ b/ee/server/service/mdm_profiles.go
@ -63,6 +63,18 @@ var fileVaultProfileTemplate = template.Must(template.New("").Option("missingkey
 			<key>PayloadVersion</key>
 			<integer>1</integer>
 		</dict>
+		<dict>
+            <key>dontAllowFDEDisable</key>
+            <true/>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.MCX.62024f29-105E-497A-A724-1D5BA4D9E854</string>
+            <key>PayloadType</key>
+            <string>com.apple.MCX</string>
+            <key>PayloadUUID</key>
+            <string>62024f29-105E-497A-A724-1D5BA4D9E854</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
 	</array>
 	<key>PayloadDisplayName</key>
 	<string>Disk encryption</string>
				`@ -0,0 +1 @@`
				`- Updated FileVault configuration profile to disallow device user from disabling full-disk encryption.`