FileVault 2 Personal Recovery Key issue

Valued Contributor


Experiencing an issue with getting proper FileVault 2 Recovery Key from JSS.

Using the same process turning on FileVault 2 by policy; Individual (Personal) Recovery Key lands to JSS database, available, working. Nothing has been changed in FileVault 2 deployment process; somehow for last 2 weeks JSS does not show correct Recovery Key but some long line of symbols instead.

I was testing it for last 4 days with few Macs, DEP and manual enrollment, etc. Issue is critical as we can not deploy any Macs if we are not 100% sure devices could be unlocked with Recovery Key.

Highly appreciate any suggestions!


Valued Contributor

First screenshot shows then FileVault 2 has been just turned on.
2nd picture shows there "recon' is complete.

I tested getting new recovery key by command: sudo fdesetup changerecovery -personal
It works in Terminal on device, and gives new key in proper format. But on JSS side, there is still long line of symbols

Valued Contributor

UPD. JSS version 10.7.1

Contributor II

Probably PI-006374, fixed in 10.10

Valued Contributor

Thank you!

Contributor II

We are in a migration process from an old JSS to a new JSS. (But both JSS have 10.10 installed)
As we don't migrate the whole database we have to re-enroll all managed devices on the new server.

One critical task is the personal recovery key, as this key is already stored on the old server. And we don't want to disable/enable filevault on each device after re-enrolling.

So we tried to re-issue the personal key only, which worked in our tests. But now, we have the same problem: JSS shows only a LONG key. (Same as the second screenshot in this thread)

In release notes for version 10.10.0 there's this entry: [PI-006374] Fixed an issue that prevented Jamf Pro from decrypting FileVault 2 recovery keys that were encrypted by outdated certificates.

So it should be fixed in Version 10.10.0 (which we are using). So it seems, there's still something wrong.
Or is it, because it was encrypted with certificates from the old JSS which the new JSS don't know?

EDIT: It seems we fixed our issue. We are using a custom FV recovery key redirection profile (see here) to separate the escrow from other security settings. Maybe this profile (or the embedded certificate) was corrupt. We created a new one and now we have a valid recovery key on our JSS!