FileVault 2 Key Reissue on a different JSS...

New Contributor


I am in the process of testing the reissue of FileVault recovery key after the computer has been migrated to a different JSS. The Macs in question are all on Sierra and were all FV enabled before migration and were assigned the management account as a FileVault Enabled User by the old JSS. The FileVault recovery key is being reissued with the same management account and password by the new JSS. The management account is identical on both JSSes.

I have tried to do this via the built-in Jamf policy options to issue a new recovery key and also in a scripted fashion like so:

if [[ $fvStatus == "true" ]]; then
    echo "Machine is FileVault Encrypted." >> $LOGFILE

    $cmdFileVault changerecovery -personal -inputplist &> /dev/null <<XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Script originally from here:

From monitoring the actions in the Terminal, it appears that the action to reissue the key is actually working but then hangs at the part when the recovery key is getting escrowed to new the JSS (see attached image). I've waited several minutes and it never completes.38b0d1290dcd4a7e823c6a3cedeb316a

The Configuration Profile that handles recovery key escrow for Sierra clients is identical on both old and new JSSes. 017f6bd04ef14478b994280164df6b32

Does anyone have any idea what might be going wrong with the recovery key escrow?

For what it's worth, all other management functionality appears to be working properly after JSS migration so it's hard to pin this down to user error. I suspect it’s something to do with the fact that encryption originally took place on a different JSS.