Can you deploy an institutional key to a machine that was manually encrypted and already has a recovery key in the jss? (10.12 and 10.13)

New Contributor III

This is a question which has been hinted at in other posts but I don’t think has been fully clarified. My main concern is whether deploying an institutional key to a machine which already has a recovery key will invalidate one or other (or simply not work) if added at this stage? I’ve noticed that if the institutional key is already present on the device when you encrypt the device manually you don’t get the option to set a recovery key, so I am wondering if in this scenario there is some incompatibility or if the two things interact with each other?

With that said, I am also aware that when we deploy encryption through the jss we deploy a configuration that simultaneously creates individual and institutional keys to machines, so I am assuming that they can coexist. I am just not sure if it is ok to use one method and then add the other option, after the fact?

Any previous experiences or thoughts would be helpful.