From 750d64ccca43d7af8876118f16a840be69284ce3 Mon Sep 17 00:00:00 2001
From: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Date: Mon, 3 Apr 2023 14:22:41 -0500
Subject: [PATCH] Add `dontAllowFDEDisable` to FileVault config profile
 template (#10941)

---
 changes/issue-10788-dont-allow-fde-disable |  1 +
 ee/server/service/mdm_profiles.go          | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 changes/issue-10788-dont-allow-fde-disable

diff --git a/changes/issue-10788-dont-allow-fde-disable b/changes/issue-10788-dont-allow-fde-disable
new file mode 100644
index 0000000000..77746c6a36
--- /dev/null
+++ b/changes/issue-10788-dont-allow-fde-disable
@@ -0,0 +1 @@
+- Updated FileVault configuration profile to disallow device user from disabling full-disk encryption. 
\ No newline at end of file
diff --git a/ee/server/service/mdm_profiles.go b/ee/server/service/mdm_profiles.go
index 09d7f4b332..6c7782fe29 100644
--- a/ee/server/service/mdm_profiles.go
+++ b/ee/server/service/mdm_profiles.go
@@ -63,6 +63,18 @@ var fileVaultProfileTemplate = template.Must(template.New("").Option("missingkey
 			<key>PayloadVersion</key>
 			<integer>1</integer>
 		</dict>
+		<dict>
+            <key>dontAllowFDEDisable</key>
+            <true/>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.MCX.62024f29-105E-497A-A724-1D5BA4D9E854</string>
+            <key>PayloadType</key>
+            <string>com.apple.MCX</string>
+            <key>PayloadUUID</key>
+            <string>62024f29-105E-497A-A724-1D5BA4D9E854</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
 	</array>
 	<key>PayloadDisplayName</key>
 	<string>Disk encryption</string>