Posted on 03-14-2019 08:29 AM
Hi,
We are currently switching from Safeguard to JSS managed encryption and I have put up a policy which uninstalls Safeguard and generates new encryption key and stores it on JSS. For now we are running it on a small test group and while the majority macs worked just fine, there are several which have a weird error and the recovery key is not stored on JSS.... The only error in the log is “Error: Authentication error.” for these macs.
I was thinking it has to be related to the Secure Token, however I have verified (both with sysadminctl and with dscl) that accounts on these machines have the Secure Token / ENABLED. One of the macs is actually 10.12 (macOS Sierra), which does not have the secure token feature at all. So the problem does not seem to be related to the Secure Token...
I have attempted creating a Configuration Profile with “FileVault Recovery Key Redirection” - nogo, tried the interactive script, similar to this one - nogo
What is really weird is, when attempted to run the "sysadminctl -secureTokenOn <username> -password - -adminUser administrator -adminPassword -" I got an error: "sysadminctl[4250:176270] Operation is not permitted without secure token unlock.", which from what I've read online usually means the issue is with Secure Token, but per sysadminctl and with dscl checks - it shows that secure token is there/enabled... So, at this point I am not sure what else to try, before attempting complete decryption, any suggestions would be really appreciated!
Posted on 05-29-2019 04:22 AM
did you ever get a fix for this @shurkin18 ?
Posted on 05-29-2019 04:45 AM
https://www.jamf.com/jamf-nation/discussions/23893/issue-new-recovery-key-filevault-2 @shurkin18 I found that you need to prompt the user for a password the first time, once the recovery key is stored in the jamf server then the built in policy option works.
Posted on 05-29-2019 07:38 AM
@nessts , yep, got the suggestion from JAMF support which seem to be working: https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh
It does require 2 configuration profiles:
macOS 10.12 and lower = Redirect Profile
macOS 10.13 and later = Escrow Profile
But seem to be working so far.