FileVault Encryption - Migration from Jamf to Intune

The drive wouldn't be decrypted by switching MDM. I would want to verify that the new MDM is in fact escrow the key correctly. You could randomly spot-check a few devices to be 100%.

@sk25 How exactly are you "migrating from Jamf to Intune"? If you're making Intune your Mac MDM, and you've removed your Jamf Pro MDM Profile from the Mac and then enrolled it with Intune, you're not going to be able to run policies from Jamf Pro on the Mac.

you can script the decrypt of the drive and add to self service as part of the decom / migration. If its out of JAMF you'll need to use the power of InTune to do this task.

You don't need to decrypt and re-encypt. However, the Recovery Key will not be captured. You will need to run a FileVault Recovery Key re-issue script and prompt the user for their password. 

Depending on your workflow of un-enrolling and re-enrolling the computers, you may be able to work that script in to your workflow. 

If you are switching MDM's (not just  adding conditional access), I would not worry too much with FileVault. Generally speaking unless you just loosely manage your Macs, you want to reinstall macOS and enroll with Automated Device Enrollment. If you are not enrolling with Automated Device Enrollment (ie you are using Device Enrollment, or User Enrollment) the MDM does not get a Secure Token so you cannot push OS updates, and the MDM Profile is user removable.

Id be more concerned that the user could just unmanage their device before worrying about a FV recovery key. 

@Tribruin Do you mind share the FileVault Recovery Key re-issue script so that I can test it? Thanks.

I use a modified  of this script. The changes I made were primarily swapping SwiftDialog for JamfHelper as the user interface.

https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh