I've used the script available via JAMF support on GitHub to issue a new personal FV2 key to an already FV2 encrypted computer running High Sierra. (https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh)
The script successfully changes the personal key, but the new key does not escrow on the JAMF server.
I've tested this by using the script to change the key and then attempted to use the previously escrowed key to access the computer. The old key fails.
I have a config profile in place which I thought would get the new key onto the JSS (see the screen shot).
Has anyone successfully accomplished this on High Sierra? Any input would be greatly appreciated.
hmm has the config profile ever been removed after you sent it out? I would check the config profiles logs and see if anything weird was changed and check the logs of the computer for anything out of place (/var/log/jamf.log)
I have never had an issue with the FV2 Key escrow on a 10.13 machine, unless the config profile was removed from the device
@Mr.Einstein , I've used this script at my previous job and it worked except for in one case. Somehow, after upgrading to 10.13, the user did not get a secure token. This was the only account on the laptop and it was a bit of a mystery how it didn't get a secure token. To check, use terminal to run
sysadminctl -secureTokenStatus username
It will either say
Disabled for the user. Hopefully, yours is enabled.
Thanks for the tips everyone.
@bmortens115 I knew "bmortens" sounded familiar. You were actually the one who did our initial on-site JAMF setup/training a couple of years ago. It's nice to see you around the forum.
Unfortunately, I was unable to get this particular MacBook to escrow the new FV2 key, but fortunately this was just on a test Mac.
I went ahead and tried it on two production machines for more testing, and the script > recon > escrow process worked flawlessly.
I'm ready to get the new keys rolled out to the necessary computers.