Filevault 2 key - changes from valid to invalid

New Contributor II

We've been noticing a trend of machines with a valid recovery key suddenly transitioning from valid to invalid.

We monitor this with 3 smartgroups via email notifications
FV2 key is known
FV2 PRK is known, key is unknown
FV2 key is unknown.

When a devices transitions from FV2 known to > FV2 is unknown 2 recons seem fix this and the device ends up in the correct group, however the same devices can transition back a
Later on

A device which transition out of known then back into known does not have the actual key change at all.

Doesn't seems to be any pattern i can see which cause this

We use a config profile for escrow scoped to all managed clients. For key re-issues we use this script

From what i can see we don't have any policies or config profile in place that could be causing it.

On raising a ticket with Jamf this seems to be a long existing issues PI-001962, this on the offical PI issue as it's direct with apple.

Anyone experiencing this at all? Half tempted to disable the email notifications for these smart groups if it's not anything that can be fixed

All our devices are 10.15 or above.



We seem to be experiencing this as well (along with not getting valid recovery keys on first inventory). I can't seem to find that PI listed anywhere. @sammatthews could you point me in the right direction for information on the PI-001962, please?

Hey Hodgesji,

I don't have a direct link to the PI it was provided to me via JAMF Support. I believe it's been a long ongoing issues according to the macadmins slack.


Best way i've figured of checking devices that don't have an actual FV2 key in Jamf is a advanced searched.


Any new info on this thread? we seem to be getting this still... even on BS and Monterey