Jamf Nation Community

Oh cool. I've been trying to wrap my brain around a way of getting the existing encryptions into the system. Looking into this now.

Thanks!

NVM.

Chris you posted good information! Why did you remove it? :-)

Needed to double check that I was being accurate. It seemed that in all my testing this was the only way to make it work but Zain's information seems to contradict that.

I have the same problem with you.
The good practise would be 1Update your Osx to latest. (Caser does not support 10.8.x and lower very well)
2 Create a configuration profile to redirect recovery key to Jss automatically.
3 Decrypt your disk first by disable Fv2.
4 After decrypting finished, restart and the recovery key will be redirected to JSS.

thuluyang, I have had great success with Zain's workflow. It's very fast and simple. No unencrypting necessary! :-)

I thought I had posted back here that Zain's workflow is working for me, but I now see I had not.

@Zain @gskibum Hi, could you give me some directions how to achieve this?
My case is that:
1) some machines are already encrypted with FV2 before enrolment.
2)So their recovery keys are not stored in JSS.
You guys solution is issue a new recover key by creating policy.
By choosing Disk Encryption->Issue new recovery key->individual.
Correct me if I am wrong.
It fails on me, here is the error:
Executing Policy Issue_new_recovery_key...
Adding personal recovery key.
Error remediating recovery key: Authentication error.

We tried to apply this and run across the same problem as @thuluyang][/url.
If I look into this post here: https://jamfnation.jamfsoftware.com/discussion.html?id=8996 is there any idea?

Hey everyone. Here's what I did to get this working. I am replacing the previously used personal recovery keys on the individual laptops with institutional keys uploaded to the JSS.

First I create the institutional key and upload it to the JSS.

Then I have a Smart Group for "FileVault 2 - Macs Encrypted Without Casper." See the attached screen shot. The last criteria is so I don't accidentally encrypt a server. I use this in many places.

external image link

Then I have a policy called "FileVault 2 - Issue New"

The payload is to issue a new recovery key, using the institutional key I uploaded to the JSS. The scope is the above smart group, plus I exclude servers. I don't mind doubling up on that exclusion.

And that's it!

Edit: This is the process for creating the institutional key.
Der Flounder - FileVault 2 Institutional Recovery Keys – Creation, Deployment and Use

We did exactly the same and received the above error.
I will review "Der Flounder" once more...

Thanks.

Thanks.
It seems that we are still not able to enable our management account for Filevault. Even with JSS 9.52 :-(

Cheers

To change the encryption, I assume you have to have the management account enabled. How do you manage the management account password? We had been aiming for using a Casper-randomized password, but I guess that's out of the question unless we're adding the management account after imaging?

You need one of two things to make any changes to FV recovery keys:

1) Management account is FV-enabled AND the password the JSS knows for the management account matches what FV expects (these can easily get out of sync if you change the password)

2) JSS has a valid individual recovery key

If you have neither of these, one option is to write a script that prompts the user for their password, then you can leverage that to enable the management account (via the fdesetup -add plist function) and then rotate the recovery key via the JSS. I'm not sure how you can do that with a randomized management account password though, since it has to match what the JSS thinks the password is.

We are currently separating into two companies and have this as part of the workflow to normalize our recovery keys and make sure the management account is enabled. There are a decent number of cases where we simply have to turn off FV and re-enable it because it simply will not take the user's password for one reason or another. FV authentication is not nearly as robust as it needs to be.

@cwaldrip You can add the management account as part of a QuickAdd package using a static password and then have policies follow up to randomize the password and enable it for FV. Using the QuickAdd saves you the trouble of creating the account and then having to manually, though en mass, modify all the computer records to set the management account. Unfortunately, right now there is a defect (D-008964) that prevents Casper from properly updating the password for any account with FileVault. It will update the account password but FV will not see that change so any FV functions, like a key rotation, will fail.

stupid question - but where can I view the recovery key. I followed the though process of creating configuration profile to redirect the recovery key to JSS. The policy was scoped and run on my test batch of computers, but I might be failing to find the recovery key in the appropriate inventory display. Anyone have any answers there?

nevermind - just answered my own question.

@Zain @gskibum Sorry to necro an old thread, but Im dealing with the exact situation you had a while back. Is this still a relevant fix?

@Zain

OK we're venturing into Twilight Zone territory. My mind is blown.

I had forgoten all about this thread from long ago. But about an hour ago I started working with this and was having policy failures. About a half hour ago I did a google search and stubmed straight into this thread. And now you chime in! :-)

I'm having policy failures for issuing a new key. I'm right in the middle of testing a hypothesis for these failures. I had an SSD partitioned to make the encryptions go much faster. Doing some digging around I found that issues with the Recovery Partition can cause issues. I verified my Recovery Partition is sound so it's something else. I just now wiped the SSD and set one volume. Your post came in just as I was doing this. Waiting for the encryption to complete...

@gskibum

ha! small world I suppose.

While you encrypt - do you happen to know if issuing a new the new institutional FV key invalidates the old personal key? I find mixed information when I research.

My concern is that I'll lock users out of their systems by invalidating their old key.

@Bongardino @gskibum

This workflow should still work but we don't use it anymore. Once we encrypted all of our laptops and got their keys in the JSS, we turned this policy off. Now, we encrypt all new/refresh laptops before deploying them.

I checked the Smart Computer Group we have for machines manually encrypted (with the criteria listed above) and there are a few machines in there. Just to see if it still works, I scoped the policy to this group and enabled it. So far it has completed on one machine and failed on another machine with:

Error remediating recovery key: Authentication error.

I don't have time to look into this at the moment but I believe the machine that failed is one where we had issues with the JAMF framework in the past.

Most of the rest of the machines in the smart computer group are decommissioned and waiting to be removed from Casper so I suspect this policy won't run on many more machines. I'll probably add a "Last Check-in less than 30 days" criteria to the smart computer group.

@Bongardino

I never thought about this. I always just assumed it replaces the old personal recovery key but never tested using an old one. Our users never had their personal keys anyway though (back when we were manually encrypting laptops before we started using Casper). If they forget their password and need the recovery key, they have to contact our help desk. We would then provide them with the personal key from Casper.

Replacing their key shouldn't lock them out though. It would only come into play if they forget their password and need their recovery key.

Oops I called out the wrong person. Meant to mention @Bongardino. Sorry about that.

What error are you getting? I finished the partition-less test and still got the error:

Policy error code: 402

This lastest attempt was to issue a Institutional & Individual key.

I have to drop this for a few hours. Should get back to it tonight. I'm going to next try not using a policy and instead use fdesetup changerecoverykey,

@gskibum Did you ever have any luck with this? I'm running across the 402 error now as well when trying to issue a new FV2 key via Casper policy.

Thanks!
Eric

@etippett I finally manually decrypted the drives, and stared new encryptions with an institutional key policy.

I did run across the issue of after having turned off FileVault, upon reboot it would want to reenable. This was preventing me from issuing new key.

Check out this thread if you encounter that.

@gskibum Ugh, that's what I was afraid of. Haven't seen the other issue, but it's good to know about in case I do.

Thanks,
Eric