filevault already enabled before enrollment

New Contributor III

just curious if anyone has ran into this scenario.

before purchasing jamf, i already had filevault enabled for my mac users, I was saving the recovery key to a safe somewhere in our environment.

now that i have jamf, i want jamf to manage those keys with its filevault profile. would i need to decrypt my devices? and re-encrypt upon enrollment so that jamf can manage those encryption keys?


New Contributor II


I recommend that you reissue FileVault keys and escrow them in Jamf, as per your request.
To achieve that you have to:
• Create a configuration profile that explicitly escrow FV keys to Jamf ;
• Create a script to reissue key (continue reading...) ;
• Create a policy to reissue key ;

Here's a link for the how-to!

Welcome aboard!

This is amazing.  I had found this script a couple days ago but the Whitepaper is awesome! Step-by-Step.  


Thank You, 


New Contributor II

@dpv_bnc Thank you for the clear instruction. This has been successfully deployed at my company.