I have recently started using Jamf with our organization. I have about 20 users who have already installed FileVault on their computer. I tried enabling a policy on their computer with our new file vault settings form Jamf. It successfully rebooted their computer and the policy says it was completed, but it does not save the key to the JSS. Is there any way to have it save the recovery key from an existing file vault to JSS without unencrypting the entire disk, then re-encrypting it?
Solved
Installing Jamf on pre-File Vault encrypted drive
+7Best answer by rich.trouton
As long as the Mac in question is running 10.9.x or higher, JAMF has a script available that helps with the process of getting a new recovery key uploaded to the JSS:
https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh
The script is leveraging the fdesetup command line tool's changerecovery function. I have a writeup on fdesetup available from the link below which covers how the changerecovery function works (see the Managing individual and institutional recovery keys section):
https://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/
+11I'm not a FileVault expert, but I think it would defeat the purpose of an encryption key if a binary installed on the computer could just replace it with its own. I think the drive would have to be unencrypted to swap the key with a new one or the encryption is worthless. Just my thoughts.
+7I'm sure there is no way for it to just arbitrarily pull without the authorized user allowing it but I would think you could force it to ask for authorization to have it send the existing code or something. Maybe I'm wrong. I swear I read something about it somewhere though.
As long as the Mac in question is running 10.9.x or higher, JAMF has a script available that helps with the process of getting a new recovery key uploaded to the JSS:
https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh
The script is leveraging the fdesetup command line tool's changerecovery function. I have a writeup on fdesetup available from the link below which covers how the changerecovery function works (see the Managing individual and institutional recovery keys section):
https://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/
@robby.barnes, rtrouton's link to the reissueKey is JAMF's recommended way of doing it. It should be done with a config profile that tells the redirection of the key to go to the JSS.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.