In Enabling FileVault Encryption for Client Macs, I mentioned that deferred enablement is one option for mass-deploying encryption to clients, with the major downside that you can enable it for only one user and not multiple users at once.

If you do want to go that route, though, this is the command (assuming you’re using an institutional recovery key) you would use:

where USERNAME is the username of the user you want to defer enablement for (otherwise, it will just be the last user to log out) and /PATH/TO is where you want to put the deferred-enablement info—the info itself is not sensitive, but I’d probably plop in some place like /private/var/root, just so no one messes with it by accident.

This will also allow the user to put off enabling FileVault encryption ten times before she’s forced to enable it. You can adjust the -forceatlogin number to whatever you think makes sense for your organization.

Check the deferral status with

If you haven’t yet run deferred enablement, the result will be (end period included). If you have run deferred enablement, you’ll get back an array of results from the .plist:

To check FileVault general status (not deferral status) run the command

which will return (end period included) if FileVault is not yet enabled and (end periods included) if it is enabled.

So if you have a script checking for whether to do a deferred enablement, you probably want to check that FileVault is Off and that deferral info is Not Found.

After FileVault encryption is enabled, the deferral information will still be there, but

will show