- Jamf Nation Community
- Products
- Jamf Pro
- FileVault Encryption - Migration from Jamf to Intu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
FileVault Encryption - Migration from Jamf to Intune
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-18-2023 08:08 AM
Guys,
We are migrating from Jamf to Intune. Once Jamf profile removed from devices, did drive get decrypted?
If not a policy is enough to escrow the key to Intune?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-18-2023 08:22 AM
The drive wouldn't be decrypted by switching MDM. I would want to verify that the new MDM is in fact escrow the key correctly. You could randomly spot-check a few devices to be 100%.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2023 08:29 AM - edited 05-18-2023 08:29 AM
@sk25 How exactly are you "migrating from Jamf to Intune"? If you're making Intune your Mac MDM, and you've removed your Jamf Pro MDM Profile from the Mac and then enrolled it with Intune, you're not going to be able to run policies from Jamf Pro on the Mac.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2023 08:38 AM - edited 05-18-2023 08:42 AM
you can script the decrypt of the drive and add to self service as part of the decom / migration. If its out of JAMF you'll need to use the power of InTune to do this task.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-18-2023 11:31 AM
You don't need to decrypt and re-encypt. However, the Recovery Key will not be captured. You will need to run a FileVault Recovery Key re-issue script and prompt the user for their password.
Depending on your workflow of un-enrolling and re-enrolling the computers, you may be able to work that script in to your workflow.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2023 01:05 AM
@Tribruin Do you mind share the FileVault Recovery Key re-issue script so that I can test it? Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2023 07:07 AM
I use a modified of this script. The changes I made were primarily swapping SwiftDialog for JamfHelper as the user interface.
https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2023 04:49 AM
If you are switching MDM's (not just adding conditional access), I would not worry too much with FileVault. Generally speaking unless you just loosely manage your Macs, you want to reinstall macOS and enroll with Automated Device Enrollment. If you are not enrolling with Automated Device Enrollment (ie you are using Device Enrollment, or User Enrollment) the MDM does not get a Secure Token so you cannot push OS updates, and the MDM Profile is user removable.
Id be more concerned that the user could just unmanage their device before worrying about a FV recovery key.
