Help

Filevault Recovery key is missing

Asifahmed
New Contributor III

Posted on ‎09-19-2022 02:07 PM

Hell Team,

 

I am looking for a solutions to get the recovery key in my JAMF console for those mac devices recovery key is missing, but user should be interrupted. I can see it has happened for both personal and institutional key. What is the main concept of personal recovery key validation, some time it is showing invalid or unknown but recovery key is there, strange! Please help to understand and also with a perfect resolution I am looking for. BTW device is getting encrypted by a config profile and to escrow the key in JAMF.

0 Kudos
15 REPLIES 15

PhillyPhoto
Contributor III

Posted on ‎09-19-2022 07:15 PM

I use a modified version of this script and it's been helpful for us

https://github.com/homebysix/jss-filevault-reissue/blob/main/reissue_filevault_recovery_key.sh

0 Kudos

Asifahmed
New Contributor III
In response to PhillyPhoto

Posted on ‎09-20-2022 06:18 AM

But this script will run on Big Sur and Monterey OS?

And is it not possible to escrow without any user's prompt? I mean full silent operation.

0 Kudos

stuartluscombe
New Contributor II
In response to PhillyPhoto

Posted on ‎09-29-2022 08:37 AM

When you say 'modified', in what way? We are also using this script but are running into some issues with Big Sur/Monterey where the key is not being picked up.

0 Kudos

BradJr
New Contributor
In response to stuartluscombe

Posted on ‎11-15-2022 07:18 AM

We're also seeing some machines that have had new FV recovery keys (PRK) issued followed by a recon, which does update it in Jamf. Fast forward a week or so and those same machines are back on the list of "unknown" with some of them not having the key available once again while others just have the status of "unknown". 

0 Kudos

macguitarman
New Contributor
In response to BradJr

‎12-27-2022 09:14 AM - edited ‎12-27-2022 09:15 AM

Seeing the same exact thing @BradJr, but it only takes a few days or so. Something is up. And it is becoming "Unknown". I have reached out to Frederick, Traveling Tech Guy...

0 Kudos

RAnderson1
New Contributor
In response to macguitarman

‎01-05-2023 11:58 AM - edited ‎01-05-2023 11:58 AM

Any luck finding a solution? We've been seeing this this for some of the computers in our environment, too...

0 Kudos

BradJr
New Contributor
In response to RAnderson1

Posted on ‎01-18-2023 08:43 AM

Still nothing that I've seen or heard of yet. Seems like there is definitely something up but perhaps we'll see some of a resolve as we begin upgrading to Ventura.

Not sure if anyone else has seen the same issue on any Ventura machines yet?

0 Kudos

jklimeck-ahead
New Contributor II

‎01-05-2023 12:48 PM - edited ‎01-05-2023 12:49 PM

Some say a reboot makes Valid stick. Run the PRK Re-issue policy again, user enter password, but this time the Mac reboots. So a reboot somehow makes "Vaild" stick...This seems to be working on some of the Macs / users that I have worked with...

0 Kudos

gsealander
New Contributor II

Posted on ‎03-22-2023 04:28 AM

I'm still seeing this happen on various versions of Monterey and Ventura. I've submitted a ticket to hopefully understand why this is happening.

0 Kudos

Asifahmed
New Contributor III
In response to gsealander

Posted on ‎03-23-2023 06:59 AM

I would request you to let me know if you get a  solution. 

0 Kudos

gsealander
New Contributor II
In response to Asifahmed

Posted on ‎04-03-2023 05:26 AM

I was told by support that this is "expected behavior because the process that Apple uses to grab that key can be inconsistent." And Jamf support said that I should run a recon after the reissue key policy runs. I already have a recon as part of that policy, but was told that isn't enough. 

So sadly this is still happening and I have not yet found a real solution or explanation. 

0 Kudos

elliotjordan
Contributor II

Posted on ‎06-15-2023 04:51 PM

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!

macguitarman
New Contributor
In response to elliotjordan

Posted on ‎06-15-2023 06:08 PM

This is excellent, I guess the key is regenerated and escrowed on login and that password.

Much better, it will be much more transparent.

Thanks, John K
0 Kudos

mfletch
New Contributor II
In response to elliotjordan

Tuesday

Wow, very cool!

0 Kudos