Help

File Vault Recovery Key

FinalCutUK
New Contributor

Monday

Hi

 

Quick question in regards to why I cant see any FV personal recovery keys in Jamfpro when FV encryption is fully enabled.

 

Seems rather a critical piece of info to not have available no?

 

Any advice or help greatly appreciated

0 Kudos
2 REPLIES 2

mm2270
Legendary Contributor III

Monday

I think some details on how you're enabling FileVault on your Macs is needed here. For example, if you just enrolled existing Macs into Jamf that were already encrypted, the FV2 keys will not show up in Jamf Pro. The keys have to be escrowed into Jamf, either at the time FileVault is enabled, or when they get rotated. For that to happen, you typically will want a Configuration Profile deployed to the Macs that enables escrowing of the keys into Jamf. Basically, the profile tells the Mac that anytime FileVault is enabled (if it's not already), or if the key is rotated, the Recovery key should get sent back to the MDM (Jamf Pro) for safe keeping.

So the question again is, how do you have this set up?

0 Kudos

sdunbar
Contributor

Thursday

As mentioned above If you have the config profile set up, then I have found the below useful for any missing FileVault keys:

jss-filevault-reissue/reissue_filevault_recovery_key.sh at main · homebysix/jss-filevault-reissue · ...

This script is intended to run on Macs which no longer have a valid recovery key in the JSS. It prompts users to enter their Mac password, and uses this password to generate a new FileVault key and escrow with the JSS. The "redirect FileVault keys to JSS" configuration profile must already be deployed in order for this script to work correctly.

 

0 Kudos