Skip to main content
Question

Filevault showing as not encrypted, but the recovery key is set

  • February 6, 2024
  • 6 replies
  • 109 views
T
Forum|alt.badge.img+6

Hi everyone,

I found some previous articles regarding a similar issue of a device being encrypted (shows on the device as encrypted) and JAMF Pro showing it has the Recovery Key. But JAMF Pro also shows it is not encrypted. I have been able to fix this by manually running the command sudo fdesetup changerecovery -personal and then doing a JAMF Recon. I wanted to script this, so I created a script to be run from self-service, but it just spins forever. I believe because it needs me to provide a username and password for an account that has rights to Filevault. How would I prompt for that in my script?

 

#!/bin/sh

# Change the recovery key
sudo fdesetup changerecovery -personal

# Force device to check into Jamf
sudo jamf recon

exit 0

    6 replies

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • February 6, 2024

    Best fix is this.. for the FileVault oddness.. escrow-buddy

    if thats overkill, I used to just re-issue a FV key via policy - Disk Encryption - Issue New Recovery Key.. and for the most that worked.. scoped to a smart group.. 

    aparten11
    T
    Forum|alt.badge.img+6
    • tyler_petro
    • Author
    • New Contributor
    • February 6, 2024

    Best fix is this.. for the FileVault oddness.. escrow-buddy

    if thats overkill, I used to just re-issue a FV key via policy - Disk Encryption - Issue New Recovery Key.. and for the most that worked.. scoped to a smart group.. 


    Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • February 6, 2024

    Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.


    obviously test.. but its very simple.. if your using the normal FileVault config profile.. install the binary.. add the smart groups, policies and extension attributes and.. it just works.. 

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • February 7, 2024

    Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.


    I can attest to the fact that Escrow Buddy works amazingly well. I recently started using it, and it's been great for wrangling in those handful of machines that end up in a weird encryption state to get a valid key escrowed into Jamf.

    One thing that's important to understand about its use is that it only works after the user logs out / logs in, after it's been deployed and the command set to capture a new key. And obviously you have to have FV2 key escrow set in a profile on your Macs from Jamf, so it knows to send the newly generated key back to the Jamf Pro console.

    But if you have that all in place, it works well, and doesn't require direct user input or nagging (they just have to log into their Mac at some point). I only mention that point about log out/log in, because we all know some Mac users almost never reboot their Macs or even log out of their accounts unless they are forced to. So it's just something to consider when using it.

    T
    Forum|alt.badge.img+6
    • tyler_petro
    • Author
    • New Contributor
    • February 7, 2024

    obviously test.. but its very simple.. if your using the normal FileVault config profile.. install the binary.. add the smart groups, policies and extension attributes and.. it just works.. 


    Great, I will give Escrow Buddy a shot. Thank you!

    T
    Forum|alt.badge.img+6
    • tyler_petro
    • Author
    • New Contributor
    • February 7, 2024

    I can attest to the fact that Escrow Buddy works amazingly well. I recently started using it, and it's been great for wrangling in those handful of machines that end up in a weird encryption state to get a valid key escrowed into Jamf.

    One thing that's important to understand about its use is that it only works after the user logs out / logs in, after it's been deployed and the command set to capture a new key. And obviously you have to have FV2 key escrow set in a profile on your Macs from Jamf, so it knows to send the newly generated key back to the Jamf Pro console.

    But if you have that all in place, it works well, and doesn't require direct user input or nagging (they just have to log into their Mac at some point). I only mention that point about log out/log in, because we all know some Mac users almost never reboot their Macs or even log out of their accounts unless they are forced to. So it's just something to consider when using it.


    Thank you for all of the information, I will give it a shot. Thanks!

    Terms & ConditionsCookie settingsAccessibility statement