Hi,

We are currently switching from Safeguard to JSS managed encryption and I have put up a policy which uninstalls Safeguard and generates new encryption key and stores it on JSS. For now we are running it on a small test group and while the majority macs worked just fine, there are several which have a weird error and the recovery key is not stored on JSS.... The only error in the log is “Error: Authentication error.” for these macs.

I was thinking it has to be related to the Secure Token, however I have verified (both with sysadminctl and with dscl) that accounts on these machines have the Secure Token / ENABLED. One of the macs is actually 10.12 (macOS Sierra), which does not have the secure token feature at all. So the problem does not seem to be related to the Secure Token...

I have attempted creating a Configuration Profile with “FileVault Recovery Key Redirection” - nogo, tried the interactive script, similar to this one - nogo

What is really weird is, when attempted to run the "sysadminctl -secureTokenOn <username> -password - -adminUser administrator -adminPassword -" I got an error: "sysadminctl[4250:176270] Operation is not permitted without secure token unlock.", which from what I've read online usually means the issue is with Secure Token, but per sysadminctl and with dscl checks - it shows that secure token is there/enabled... So, at this point I am not sure what else to try, before attempting complete decryption, any suggestions would be really appreciated!