Skip to main content
Question

Big Sur FV2 Key Escrow in JSS and re-issue

  • August 6, 2021
  • 11 replies
  • 37 views
J
Forum|alt.badge.img+3

 

Hi, 

We are starting to implement JAMF and a lot of end users have their FV2 key linked to their personal iCloud account.  With most machine already on Big Sur.  Has anyone had a successful way of re-issuing FV keys and escrowing them to JSS?   We have  these settings enabled, but on new computers it doesn't seem send the key to JAMF. We would like to also move the existing FV keys and escrow to JSS

 

    11 replies

    DBrowning
    Forum|alt.badge.img+24
    • DBrowning
    • Esteemed Contributor
    • August 6, 2021

    If the device is already setup and encrypted, you'll need to prompt the user for their password in order to generate a new key that will then be escrowed. This would be a good start. 

    J
    Forum|alt.badge.img+3
    • j_allenbrand1
    • Author
    • New Contributor
    • August 6, 2021

    Yes I started there, but with Big Sur I wasn't able to get it to run, It seems vastly out of date, since the "

    • Automatically redirect recovery keys to the JSS" is depreciated. 

     

    DBrowning
    Forum|alt.badge.img+24
    • DBrowning
    • Esteemed Contributor
    • August 6, 2021

    You'll need to use the "Escrow Personal Recovery Key settings:  I just used this method and escrowed a key on Big Sur.

    summoner2100
    Forum|alt.badge.img+7
    • summoner2100
    • Contributor
    • August 8, 2021

    Yes I started there, but with Big Sur I wasn't able to get it to run, It seems vastly out of date, since the "

    • Automatically redirect recovery keys to the JSS" is depreciated. 

     


    deprecated? wait, what now? 

    K
    Forum|alt.badge.img
    • Keith54
    • New Contributor
    • August 9, 2021

    I faced similar kind of issue last time, I am still searching for some proper solution.

    mycardstatement
    Jason33
    Forum|alt.badge.img+13
    • Jason33
    • Honored Contributor
    • August 9, 2021

    Have a look at https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh 

    scottb
    scottb
    Forum|alt.badge.img+18
    • scottb
    • Valued Contributor
    • August 9, 2021

    Have a look at https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh 


    I'm using this and it's working fine on Big Sur Macs...caveat being I have no M1 to test, only T2's...

    Jason33
    Forum|alt.badge.img+13
    • Jason33
    • Honored Contributor
    • August 9, 2021

    I'm using this and it's working fine on Big Sur Macs...caveat being I have no M1 to test, only T2's...


    @scottb It does work on M1 as well

    J
    Forum|alt.badge.img+3

    @scottb It does work on M1 as well


    I just attempted running the script on a test machine and got the following result.  Any ideas?

    DBrowning
    Forum|alt.badge.img+24
    • DBrowning
    • Esteemed Contributor
    • September 8, 2021

    I just attempted running the script on a test machine and got the following result.  Any ideas?


    Would have to see what your script looks like, but I'm going to guess that when you are defining the location of the TFlogo.png, you may have some illformed code based on the "Can't make file ":$:Applictions:logo:TFlogo.png" part of the error message.

    J
    Forum|alt.badge.img+3

    Would have to see what your script looks like, but I'm going to guess that when you are defining the location of the TFlogo.png, you may have some illformed code based on the "Can't make file ":$:Applictions:logo:TFlogo.png" part of the error message.


    Thanks for responding, I got it working last night.  Seems it did not like the file path I added in for our company's logo once I added file :// in front of the file path it worked like a charm.

    Thanks!

    Terms & ConditionsCookie settingsAccessibility statement