Help

FileVault from previous MDM handover to Jamf?

vantive
New Contributor III

Posted on ‎12-07-2022 09:57 AM

So I have machine that I am migrating from Workspace One to Jamf Pro. Is there a way to leave FileVault enabled after unenrolling from Workspace One - and then having Jamf Pro issue a new recovery key? 

Hoping to do this with zero touch.

I am researching how to turn off file vault via Workspace One at the same time.

0 Kudos
5 REPLIES 5

TheAngryYeti
Contributor
Contributor

Posted on ‎12-07-2022 10:16 AM

Don't unencrypt the device prior as it causes more of a hassle - just take down the key if something doesn't go right with the process.  Next, enroll the Mac into Jamf, scope a configuration profile for escrow of the FileVault key and then run this script: https://github.com/homebysix/jss-filevault-reissue it will reissue the key and redirect it to Jamf for storage. 

0 Kudos

vantive
New Contributor III

Posted on ‎12-07-2022 12:55 PM

New to Jamf - so Jamf can escrow the keys from a device that is already encrypted? Well that makes thing a bit simpler. 
Looks like homebysix script has not been updated since Catalina. Anyone know if any issues with Monterey?

0 Kudos

Louie
New Contributor III
In response to vantive

Posted on ‎12-07-2022 03:36 PM

This is the most recent https://github.com/homebysix/jss-filevault-reissue/blob/main/reissue_filevault_recovery_key.sh

Works great with Monterey, they all leverage the same native functionality in the CLI from fdesetup changerecovery

0 Kudos

TheAngryYeti
Contributor
Contributor
In response to Louie

Posted on ‎12-07-2022 07:02 PM

Thanks for linking directly @Louie  - it does work very well on Monterey.  When we run into this situation due to migrations etc....this is one that is highly recommended. 

0 Kudos

elliotjordan
Contributor III

Posted on ‎06-15-2023 04:55 PM

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!

0 Kudos