Help

FileVault Encryption - Migration from Jamf to Intune

sk25
Contributor

Posted on ‎05-18-2023 08:08 AM

Guys,

We are migrating from Jamf to Intune. Once Jamf profile removed from devices, did drive get decrypted?

If not a policy is enough to escrow the key to Intune?

0 Kudos
7 REPLIES 7

MatthewGC
New Contributor III

Posted on ‎05-18-2023 08:22 AM

The drive wouldn't be decrypted by switching MDM. I would want to verify that the new MDM is in fact escrow the key correctly. You could randomly spot-check a few devices to be 100%.

sdagley
Esteemed Contributor II

‎05-18-2023 08:29 AM - edited ‎05-18-2023 08:29 AM

@sk25 How exactly are you "migrating from Jamf to Intune"? If you're making Intune your Mac MDM, and you've removed your Jamf Pro MDM Profile from the Mac and then enrolled it with Intune, you're not going to be able to run policies from Jamf Pro on the Mac.

0 Kudos

jamf-42
Valued Contributor II

‎05-18-2023 08:38 AM - edited ‎05-18-2023 08:42 AM

you can script the decrypt of the drive and add to self service as part of the decom / migration. If its out of JAMF you'll need to use the power of InTune to do this task.

0 Kudos

Tribruin
Valued Contributor II

Posted on ‎05-18-2023 11:31 AM

You don't need to decrypt and re-encypt. However, the Recovery Key will not be captured. You will need to run a FileVault Recovery Key re-issue script and prompt the user for their password. 

Depending on your workflow of un-enrolling and re-enrolling the computers, you may be able to work that script in to your workflow. 

0 Kudos

sk25
Contributor
In response to Tribruin

Posted on ‎05-23-2023 01:05 AM

@Tribruin Do you mind share the FileVault Recovery Key re-issue script so that I can test it? Thanks.

0 Kudos

Tribruin
Valued Contributor II
In response to sk25

Posted on ‎05-23-2023 07:07 AM

I use a modified  of this script. The changes I made were primarily swapping SwiftDialog for JamfHelper as the user interface.

https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh

0 Kudos

AJPinto
Honored Contributor II

Posted on ‎05-22-2023 04:49 AM

If you are switching MDM's (not just  adding conditional access), I would not worry too much with FileVault. Generally speaking unless you just loosely manage your Macs, you want to reinstall macOS and enroll with Automated Device Enrollment. If you are not enrolling with Automated Device Enrollment (ie you are using Device Enrollment, or User Enrollment) the MDM does not get a Secure Token so you cannot push OS updates, and the MDM Profile is user removable.

 

Id be more concerned that the user could just unmanage their device before worrying about a FV recovery key. 

0 Kudos