Device Recovery Key ?

mthakur
Contributor

Does anyone know what exactly this "Device Recovery Key" is intended for?

e2e745d4cf974b7b8d29b94289112d49

For Macs, it appears to be populated with the Mac's Apple serial number.

The Jamf Pro Administrator's Guide lists "Device recovery key" in a table (Viewing and Editing Inventory Information for a Computer) but doesn't describe it at all. There's nothing in the Jamf Knowledge Base either.

Anyone? Anyone? Bueller?

1 REPLY 1

Andreas_Schenk
Contributor
Contributor

I haven't had the time to test, but I believe this is just a not very good label here.
AFAIK this is the value, you have put into your "Record number" Message field in the Config Profile to enable FV with Key escrow.

The story is this: Using Configuration Profiles, we can enable FV2. As per Apples Spec the Key Escrow is optional. If enabled, the escrowed key can be sent to any Server. In Jamf Pro this is always the Jamf Pro Server (no other server possible to choose as a target).
If you escrow the key, the User is displayed the "Escrow Location Description" and if needed to recover (3 failed login attempts at preboot authentication) he is shown both the "Escrow Location Description" AND the "Record number" Message, so he could use that to go to his IT Helpdesk and they could identify his computer in that server and find the recovery key.
Now with Jamf Pro, that is all not needed at all, as the location is always the Jamf Pro server and there the recovery key is stored in the inventory record. Therefore, both the location description and record number are not really needed, but displayed to the user if he fails to log in. I do not know why this is hidden behind a "show key" button or I could be totally wrong, but from my understanding of Jamf Pro and the MDM Profile spec, this is what makes sense.

2e8c351cdd3f435788149a812d8103f2