Posted on 09-15-2022 10:29 AM
I'm attempting to switch computers from Jamf Now to Jamf Pro. I created a configuration profile for disk encryption and it's showing the device is encrypted. However when I view the settings on the device via inventory in Jamf, there's no Disk encryption configuration and the PRK is "unknown". When I try to reissue, the policy just sits at pending despite logging out/in or rebooting. I haven't been able to find anything helpful in documentation or on the web. Thanks.
Posted on 09-15-2022 03:03 PM
I was able to do it by manually entering the sudo command in the terminal but it sure would be nice to not have to do this for every single user manually. Anyone? Anyone? Buller?
Posted on 09-16-2022 06:29 AM
Unfortunately, there is no easy way to do it without user interaction. We have a policy in Self Service that runs this script. It prompts the user for their password and the rotates the PRK. As long as you have a configuration profile that escrows the PRK to Jamf, it will capture the updated PRK to Jamf:
FileVault2_Scripts/reissueKey.sh at master · jamf/FileVault2_Scripts · GitHub
Posted on 09-22-2022 02:12 PM
Thanks for this response. I've run this script as a self service policy as suggested. All seems to be going fine, and initially the user gets a message saying that a new PRK has been issues. However right after that the policy fails. I'm getting to following error messages: "User could not be authenticated" and "unable to unlock or authenticate to FileVault". I don't have any other policies or configurations in place that limit the user access to FileVault, so I am a bit stumped. Any help appreciated.