|Managing Mac endpoints / About SafeGuard Native Device Encryption for Mac|
A user can be removed from the list of users assigned to a Mac in the SafeGuard Management Center. After the next synchronization, the user will be removed from the list of FileVault 2 users of the endpoint as well. But this does not mean that the user will not be able to log on to that Mac anymore. Like any new user, the user just needs to log on to a running Mac in order to become authorized again.
If you really want to prevent a user from booting a Mac, mark the user as blocked in the Management Center. The user will then be removed from the list of FileVault 2 users of the client and no new authorization will be possible.
It is possible to remove all FileVault 2 users but the last one. If the owner is removed, then the next user in the list will be marked as owner. In SafeGuard Native Device Encryption for Mac it does not make a difference if a user is owner or not.