Big Sur FV2 Key Escrow in JSS and re-issue

j_allenbrand1
New Contributor

Hi, 

We are starting to implement JAMF and a lot of end users have their FV2 key linked to their personal iCloud account.  With most machine already on Big Sur.  Has anyone had a successful way of re-issuing FV keys and escrowing them to JSS?   We have  these settings enabled, but on new computers it doesn't seem send the key to JAMF. We would like to also move the existing FV keys and escrow to JSS

Screen Shot 2021-08-06 at 8.56.29 AM.png

Screen Shot 2021-08-06 at 8.57.49 AM.png

11 REPLIES 11

DBrowning
Valued Contributor

If the device is already setup and encrypted, you'll need to prompt the user for their password in order to generate a new key that will then be escrowed. This would be a good start. 

j_allenbrand1
New Contributor

Yes I started there, but with Big Sur I wasn't able to get it to run, It seems vastly out of date, since the "

  • Automatically redirect recovery keys to the JSS" is depreciated. 

 

deprecated? wait, what now? 

DBrowning
Valued Contributor

You'll need to use the "Escrow Personal Recovery Key settings:  I just used this method and escrowed a key on Big Sur.

Screen Shot 2021-08-06 at 14.04.36.png

Keith54
New Contributor

I faced similar kind of issue last time, I am still searching for some proper solution.

Jason33
Contributor II

scottb
Valued Contributor III

I'm using this and it's working fine on Big Sur Macs...caveat being I have no M1 to test, only T2's...

@scottb It does work on M1 as well

I just attempted running the script on a test machine and got the following result.  Any ideas?Screen Shot 2021-09-07 at 7.55.42 PM.png

Would have to see what your script looks like, but I'm going to guess that when you are defining the location of the TFlogo.png, you may have some illformed code based on the "Can't make file ":$:Applictions:logo:TFlogo.png" part of the error message.

Thanks for responding, I got it working last night.  Seems it did not like the file path I added in for our company's logo once I added file :// in front of the file path it worked like a charm.

Thanks!