Recovery Key Redirection

This profile will not redirect the recovery key for a machine that has already been encrypted. The profile must be in place at the time the key is generated during the encryption process.

Thanks for the info, now a followup:

If you utilize the Issue New Recovery Key option via policy, will that regenerate the key on an already encrypted machine?

Great, thanks for the info Sam.

@Sam.Fortuna][/url

Sorry to bump this again. I was hoping to enable the management account for FV2 for our user self-encrypted machines, but then I noticed this requirement: To enable the management account for FileVault 2, the computer must have OS X v10.9 and have an existing, valid individual recovery key that matches the key stored in the JSS.

Is there a workflow to take user-encrypted machines and get their existing keys or a newly generated key into the JSS?

There is not a JSS supported workflow that will allow for the functionality that you seek. However, there have been others who were looking to implement a similar solution, so we created a custom script which should accomplish the task. The workflow requires that we install a FV2 recovery key redirection configuration profile to the client machine. Then run this script: https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh

The script will prompt for the currently logged in, FV2 enabled user's password and use that to reissue a new key. With the FV2 redirection payload in place, this should then be posted into the JSS record for the machine. I hope that helps out!

Sam, I have had some issues with script—2 different unexpected results. Would it be ok to work offline with you with this? We have an existing support contract if that is permissible.

Thanks for your help!

@Sam.Fortuna

Your script has been working as intended, however I have one machine who gets the following error repeatedly when trying to run the script:

Script result: Prompting xxxxxxx for their login password.
Issuing new recovery key
invalid command name "
"
while executing
" "

The key is not getting regenerated and uploaded to the JSS, and this is the only machine so far I am seeing this on. Do you have any insight as to what the issue could be?

Thanks in advance

@Oclassen - I haven't seen this error before, but I'm guessing that the user probably has a special character in their password that isn't being passed through correctly. A quotation or backslash in the password might cause this type of behavior.

Hope that helps out!

Thanks @Sam.Fortuna - I assume if that is indeed the case, the only workaround is for them to change their password? Or is there perchance an edit that can be made in the script?

There's most likely a change that could be made to the script to account for special characters. It'd be easier to determine what the special character was and then implement a fix than attempting to account for all possible characters that might be problematic.

Since this is a one off situation, it may be less work to have the user temporarily change their password. At that point we can run the script and have the user revert their password back.

Hi guys,

It can be done, you'll need "quoted form of" when retrieving the password. Basically I've had to use that multiple times in AutoCasperNBI.

Something like:

quoted form of text returned of result

The quoted form property gives the string in a form that is safe from further interpretation by the shell, no matter what its contents are.

From: https://developer.apple.com/library/mac/technotes/tn2065/_index.html

Great, thanks. I will try that out.