FileVault 2 - Reissue Key on High Sierra Escrow Problem

Mr_Einstein
New Contributor II

I've used the script available via JAMF support on GitHub to issue a new personal FV2 key to an already FV2 encrypted computer running High Sierra. (https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh)

The script successfully changes the personal key, but the new key does not escrow on the JAMF server.

I've tested this by using the script to change the key and then attempted to use the previously escrowed key to access the computer. The old key fails.

I have a config profile in place which I thought would get the new key onto the JSS (see the screen shot).

Has anyone successfully accomplished this on High Sierra? Any input would be greatly appreciated.36b33e46b2ec41ac9797c6ecbbac502a

6 REPLIES 6

bmortens115
New Contributor III
New Contributor III

I've found that with high sierra, the key does not get sent to Jamf until an inventory update occurs. On one of your machines that has the new key, go to terminal and type

sudo jamf recon

and see if they key is in Jamf after that.

Mr_Einstein
New Contributor II

@bmortens115 Thank you for the response.

I've included an inventory update in my script (see attachment), and manually completed a "sudo jamf recon" at least 4 times.

Unfortunately, the key on the JSS is still not updating.e8f557cada454a4b9ce8158f61531e9d

bmortens115
New Contributor III
New Contributor III

hmm has the config profile ever been removed after you sent it out? I would check the config profiles logs and see if anything weird was changed and check the logs of the computer for anything out of place (/var/log/jamf.log)

I have never had an issue with the FV2 Key escrow on a 10.13 machine, unless the config profile was removed from the device

jriv
New Contributor III

@Mr.Einstein , I've used this script at my previous job and it worked except for in one case. Somehow, after upgrading to 10.13, the user did not get a secure token. This was the only account on the laptop and it was a bit of a mystery how it didn't get a secure token. To check, use terminal to run sysadminctl -secureTokenStatus username
It will either say Enabled or Disabled for the user. Hopefully, yours is enabled.

Good luck!

dan-snelson
Valued Contributor II

@Mr.Einstein You may be encountering PI-005560:

[PI-005560] When a new FileVault key is escrowed, FileVault individual recovery keys report as invalid or unknown for computers with macOS 10.13.x. Workaround: Reboot the device, and submit an inventory update.

Mr_Einstein
New Contributor II

@bmortens115 @dan.snelson @jriv

Thanks for the tips everyone.

@bmortens115 I knew "bmortens" sounded familiar. You were actually the one who did our initial on-site JAMF setup/training a couple of years ago. It's nice to see you around the forum.

Unfortunately, I was unable to get this particular MacBook to escrow the new FV2 key, but fortunately this was just on a test Mac.

I went ahead and tried it on two production machines for more testing, and the script > recon > escrow process worked flawlessly.

I'm ready to get the new keys rolled out to the necessary computers.