In reading the Jamf 10.15 release notes I noticed the below line:
"On FileVault encrypted computers with macOS 10.15 or later, you must enter the password or the recovery key of the FileVault enabled user to access the recovery partition."
I understand much of Catalina is still probably covered by NDA, but in reading this does this now mean that rebuilding the machine requires a full decrypt/device unlock? Older models that support USB boot/wipe might be easier to work around this but I'm imagining our T2 portion of the fleet will become substantially more tedious to rebuild, and we'll be SOL if for some reason the recovery key didn't escrow or doesn't work for some reason.
Am I reading this correctly or can anyone way in with their interpretation experience?
I think it means you just need to prove you have access to the drive. Before 10.15 you still needed to provide a FV (or recovery key?) to access a FV encrypted drive from the recovery partition (like, for Disk Utility). Now you just need to do it earlier.
This is a good thing, because before 10.15 you could change passwords without needing any authentication. This will make our ISO group happy (a good thing).
We create a local support account that gets FV access when the user enables FV through a self service policy. I think over the last five years we've only needed to contact Apple Support for a recovery key twice. But then maybe we're lucky.
I'd also take this as a sign that Apple is thinking that the era of full drive level nuke and repave is over. In theory needing to remove the OS partition is no longer going to be a common occurrence with Catalina, and wiping the user partition will provide an experience similar to what nuke and repave did for previous versions of macOS.