Skip to main content
Solved

Explainations needed - FileVault 2 Escrow recovery key parameters

F
Forum|alt.badge.img+7

Hello, I'm about to enable filevault disk encryption for our company's macs, but I wanna make sure I do everything correctly to avoid any problems.

And I quite puzzled on what some parameters mean I the filevault configuration profile payload:

We chose to only use individual recovery keys for more security so i ticked Require File Vault 2 and Create individual recovery key.
Since we need to get those recovery keys back to Jamf, I obviously ticked Enable Escrow Personal Recovery Key but then here's where I get lost.
I don't know what is the Escrow location description and the "Record number" message.

Plus, I don't know what difference it makes to select whether automatic encryption or manual encryption (then the JSS redir cert).

I can't seem to find any infos about this in the documentations.
Any clues on what those informations are ? And any advice on how I should proceed to deploy such a thing ?

Thanks in advance.

Best answer by Scott_Watkins

Escrow location description - This is something told to the user. This is just to let the user know where the key will be stored. For example you could write. "This key will be securely stored with your IT department."

Record number - This is something shown to the user when they have forgotten their password. When it asks them to enter the recovery key there is a record number there. This should be a unique reference they can give to IT to help them find the key in jamf.

In would recommend letting jamf handle the encryption of the recovery keys. They give you the option of using your own details to encrypt the keys.

View original
Did this topic help you find an answer to your question?

3 replies

S
Forum|alt.badge.img+3
  • Scott_Watkins
  • New Contributor
  • 8 replies
  • Answer
  • November 19, 2019

Escrow location description - This is something told to the user. This is just to let the user know where the key will be stored. For example you could write. "This key will be securely stored with your IT department."

Record number - This is something shown to the user when they have forgotten their password. When it asks them to enter the recovery key there is a record number there. This should be a unique reference they can give to IT to help them find the key in jamf.

In would recommend letting jamf handle the encryption of the recovery keys. They give you the option of using your own details to encrypt the keys.

T
F
M
3 people like this
  • T
    TechSpecialist
  • F
    fdeltesta
  • M
    Montag
F
Forum|alt.badge.img+7
  • fdeltesta
  • Author
  • Contributor
  • 31 replies
  • November 19, 2019

Thanks @Scott.Watkins this indeed clarifies the subject.

Though, what do you mean by letting jamf handling the encryption ? Do i set it to automaticaly encrypt and decript or do i set it to manual and then select the JSS cert ?

S
Forum|alt.badge.img+3
  • Scott_Watkins
  • New Contributor
  • 8 replies
  • November 20, 2019

Just set it to automatically do it.

F
1 person likes this
  • F
    fdeltesta

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings