Looks like the good old reboot was all that was needed in this case.

Glad to hear it!

In case others are curious, you're referring to my workflow for reissuing missing or invalid personal recovery keys by prompting the FileVault-authorized user for their password with a company-branded message: https://github.com/homebysix/jss-filevault-reissue

Here's a handy list of fdesetup exit codes:
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/fdesetup.8.html

Looks like number 11 is "Authentication error." My script pre-checks to make sure the user is FV-authorized and validates the password with dscl, so I'm not sure what would cause that.

I have a few other machines exhibiting the behavior of no errors etc, but the the key will not escrow into the JSS. I have tried re provisioning the config profile that automatically directs keys to the JSS as well as rebooting the machine. The output is as below:
Running script reissue_filevault_recovery_key.sh...
Script exit code: 0
Script result: Alerting user "user" about incoming password prompt...
Prompting "user" for their Mac password...
Successfully prompted for Mac password.
Issuing new recovery key...
Displaying "success" message...

One other thing I noticed is that in the Encryption section of their computer record, it does not list our Disk Encryption Configuration. Could this indicate that the machine was not encrypted via Casper and as a result the key escrow would be impossible?

Thanks again!

Hi @ocla&&09,

If the workflow works, you should see a line that reads, Escrowing recovery key... Since I don't see that in your output, I think the escrow failed (or was not attempted).

You may want to try sudo fdesetup changerecovery -personal -verbose on that Mac to see whether the Escrowing recovery key... output appears. If not, confirm to make sure the profile is working (and no other redirection profiles are installed).

So I ran the local command and indeed saw the escrow key part, yet there is still no key in the JSS(!).
fdesetup changerecovery -personal -verbose
Password:
fdesetup: use personal recovery key
fdesetup: device path = /
Enter a password for '/', or the recovery key:
Adding personal recovery key.
New personal recovery key = 'XXXX-XXXX-XXXX-XXXX-XXXX-XXXX'
Escrowing recovery key..

I ran the same command on my machine without the redirect profile and got no escrow as expected, then installed the profile and the key successfully escrowed. So I am confident the profile is working....
I am thinking at this point that either the machine needs to be re enrolled in MDM, or I need to look at the server logs as to why that config profile is failing to send the key to the JSS, do you concur?

If the machine was by chance encrypted without Casper would that be a blocker to re escrowing the key?

Probably not. The whole point of the workflow above is to regenerate a new recovery key for Macs that were encrypted without Casper.

It could be that there's an existing FileVault redirection profile installed that's superseding your org's profile. sudo profiles -Cv should show you all the computer level profiles.

Hello Elliot - I just tested the jss-filevault-reissue script on Monterey Beta 3 and it appears to work as expected. 🙂

Hi all! I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!