Help

Big Sur FV2 Key Escrow in JSS and re-issue

j_allenbrand1
New Contributor II

Posted on ‎08-06-2021 08:59 AM

Hi, 

We are starting to implement JAMF and a lot of end users have their FV2 key linked to their personal iCloud account.  With most machine already on Big Sur.  Has anyone had a successful way of re-issuing FV keys and escrowing them to JSS?   We have  these settings enabled, but on new computers it doesn't seem send the key to JAMF. We would like to also move the existing FV keys and escrow to JSS

Screen Shot 2021-08-06 at 8.56.29 AM.png

Screen Shot 2021-08-06 at 8.57.49 AM.png

0 Kudos
Reply
11 REPLIES 11

DBrowning
Valued Contributor II

Posted on ‎08-06-2021 10:25 AM

If the device is already setup and encrypted, you'll need to prompt the user for their password in order to generate a new key that will then be escrowed. This would be a good start. 

0 Kudos
Reply

j_allenbrand1
New Contributor II

Posted on ‎08-06-2021 10:33 AM

Yes I started there, but with Big Sur I wasn't able to get it to run, It seems vastly out of date, since the "

  • Automatically redirect recovery keys to the JSS" is depreciated. 

 

0 Kudos
Reply

summoner2100
Contributor
In response to j_allenbrand1

Posted on ‎08-08-2021 02:16 PM

deprecated? wait, what now? 

0 Kudos
Reply

DBrowning
Valued Contributor II

Posted on ‎08-06-2021 11:05 AM

You'll need to use the "Escrow Personal Recovery Key settings:  I just used this method and escrowed a key on Big Sur.

Screen Shot 2021-08-06 at 14.04.36.png

0 Kudos
Reply

Keith54
New Contributor

Posted on ‎08-08-2021 11:46 PM

I faced similar kind of issue last time, I am still searching for some proper solution.

mycardstatement
0 Kudos
Reply

Jason33
Contributor III

Posted on ‎08-09-2021 02:32 AM

Have a look at https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh 

Reply

scottb
Honored Contributor
In response to Jason33

Posted on ‎08-09-2021 11:20 AM

I'm using this and it's working fine on Big Sur Macs...caveat being I have no M1 to test, only T2's...

0 Kudos
Reply

Jason33
Contributor III
In response to scottb

Posted on ‎08-09-2021 12:20 PM

@scottb It does work on M1 as well

0 Kudos
Reply

joshdoesearth91
New Contributor II
In response to Jason33

Posted on ‎09-07-2021 04:56 PM

I just attempted running the script on a test machine and got the following result.  Any ideas?Screen Shot 2021-09-07 at 7.55.42 PM.png

0 Kudos
Reply

DBrowning
Valued Contributor II
In response to joshdoesearth91

Posted on ‎09-08-2021 04:05 AM

Would have to see what your script looks like, but I'm going to guess that when you are defining the location of the TFlogo.png, you may have some illformed code based on the "Can't make file ":$:Applictions:logo:TFlogo.png" part of the error message.

0 Kudos
Reply

joshdoesearth91
New Contributor II
In response to DBrowning

Posted on ‎09-08-2021 06:57 AM

Thanks for responding, I got it working last night.  Seems it did not like the file path I added in for our company's logo once I added file :// in front of the file path it worked like a charm.

Thanks!

0 Kudos
Reply