Jamf Nation Community

tdenton · 2 weeks ago

Morning

We have few Macs which have failed escrow there FileVault key back to Jamf.

I have setup escrowbuddy and this seems to be working well bringing these keys back.

I can see the policy has run to setup escrow buddy the policy also inculdes
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true

I can see users have had a fresh login.

While machines now do seem to have a vaild FileVault key. I'm seeing two issues.

FileVault 2 Enabled being switch from enabled to Not enabled.
FileVault 2 Enabled set as Not enabled.

This depsite the fact that the effected machines have a vaild Key, showing as encrypted and have a FileVault 2 enabled user.

As anyone else seen this behaviour before?

Thanks

Thanks

tdenton · 2 weeks ago

Did raise this with Jamf support and there is an Apple bug

The issue you are seeing is connected to an Apple bug with Declarative Device Management. We have raised a Product issue to investigate it internally, however from Jamf Pro's side of things are working well.
PI122407 > Computers with the DDM status subscription for 'diskmanagement.filevault.enabled' do not report status changes to the Jamf Pro when FileVault status changes; they will only report this status in "full status reports."

In other words, until the device is not submitting a full DDM report back to Jamf Pro, we have no ways to know the FileVault Enabled status. Changes to this specific DDM subscription is not automatically updating, so we do not have the info when its being enabled/disabled.
The problematic thing is that we do not have a way to force a full DDM report from the machines either manually or via Jamf Pro, we need to wait until the machine proactively submits that full DDM report to Jamf Pro.

If you wish to reach out to Apple about this behaviour, feel free to use the following Feedback ticket ID to report the behaviour for them FB15301196.

View solution in original post

jamf-42 · 2 weeks ago

yup.. this is a thing from a while ago.. setup a smart group.. that key has been bust forever. something about.. DDM or such like..

also, if you have setup EscrowBuddy with EAs and Policy.. you can report off that also..

tdenton · 2 weeks ago

@jamf-42
Thanks machines are encrypted based on the smart group criteria you provided.

So its more of reporting issue within jamf that it actual been broken, do you know if Jamf have confirmed it has product issue in the past?

jamf-42 · 2 weeks ago

erm. yea.. probably.. get onto Mac Admins Slack.. its probably there somewhere 😎 but yes.. its a reporting bug..

tdenton · 2 weeks ago

Did raise this with Jamf support and there is an Apple bug

The issue you are seeing is connected to an Apple bug with Declarative Device Management. We have raised a Product issue to investigate it internally, however from Jamf Pro's side of things are working well.
PI122407 > Computers with the DDM status subscription for 'diskmanagement.filevault.enabled' do not report status changes to the Jamf Pro when FileVault status changes; they will only report this status in "full status reports."

In other words, until the device is not submitting a full DDM report back to Jamf Pro, we have no ways to know the FileVault Enabled status. Changes to this specific DDM subscription is not automatically updating, so we do not have the info when its being enabled/disabled.
The problematic thing is that we do not have a way to force a full DDM report from the machines either manually or via Jamf Pro, we need to wait until the machine proactively submits that full DDM report to Jamf Pro.

If you wish to reach out to Apple about this behaviour, feel free to use the following Feedback ticket ID to report the behaviour for them FB15301196.

GageHarlow · 2 weeks ago

Thank you so much for the solution.

Jamf Nation Community

FileVault Escrow