First screenshot shows then FileVault 2 has been just turned on.
2nd picture shows there "recon' is complete.
I tested getting new recovery key by command:
sudo fdesetup changerecovery -personal
It works in Terminal on device, and gives new key in proper format. But on JSS side, there is still long line of symbols
Probably PI-006374, fixed in 10.10
We are in a migration process from an old JSS to a new JSS. (But both JSS have 10.10 installed)
As we don't migrate the whole database we have to re-enroll all managed devices on the new server.
One critical task is the personal recovery key, as this key is already stored on the old server. And we don't want to disable/enable filevault on each device after re-enrolling.
So we tried to re-issue the personal key only, which worked in our tests. But now, we have the same problem: JSS shows only a LONG key. (Same as the second screenshot in this thread)
In release notes for version 10.10.0 there's this entry: [PI-006374] Fixed an issue that prevented Jamf Pro from decrypting FileVault 2 recovery keys that were encrypted by outdated certificates.
So it should be fixed in Version 10.10.0 (which we are using). So it seems, there's still something wrong.
Or is it, because it was encrypted with certificates from the old JSS which the new JSS don't know?
EDIT: It seems we fixed our issue. We are using a custom FV recovery key redirection profile (see here) to separate the escrow from other security settings. Maybe this profile (or the embedded certificate) was corrupt. We created a new one and now we have a valid recovery key on our JSS!
