In Enabling FileVault Encryption for Client Macs, I mentioned that deferred enablement is one option for mass-deploying encryption to clients, with the major downside that you can enable it for only one user and not multiple users at once.
If you do want to go that route, though, this is the command (assuming you're using an institutional recovery key) you would use:
This will also allow the user to put off enabling FileVault encryption ten times before she's forced to enable it. You can adjust the -forceatlogin number to whatever you think makes sense for your organization.
Check the deferral status with
Defer = 1;
NoRecoveryKey = 1;
OutputPath = "/PATH/TO/recovery.plist";
UseKeychain = 1;
Usernames = (
To check FileVault general status (not deferral status) run the command
FileVault master keychain appears to be installed.
So if you have a script checking for whether to do a deferred enablement, you probably want to check that FileVault is Off and that deferral info is Not Found.
After FileVault encryption is enabled, the deferral information will still be there, but