FileVault Issue

andymallins
New Contributor III

Hi All,

Wondering if anyone has any suggestions re. an issue I am seeing with filevault (which is fully encrypted) on a 10.13.3 iMac as follows;

No key resides on JamF and its showing as "FileVault 2 is Not Configured"

Recreating the individual key with the JamF script makes no difference although this script does work as its successfully recreated keys in the past.

If I try and add any users to FileVault to unlock the disk I see the error "Error adding users to FileVault unknown error"

If I run the sysadminctl util it states that the user doesn't have a secure token (the local admin account does however), if I attempt to create a token for the user I get an error similar to "NSLocalizedFailureReason=Credentials could not be verified, username or password is invalid."

If I try remove FileVault I get the message "FileVault was not disabled (-69595)"

Any ideas? I would rather not rebuild if I don't have to.

Cheers,
Andy

6 REPLIES 6

rjohnson83jr
New Contributor

Hey, just a question, first have you ensured you set the Escrow option I the payload to redirect key to your Jamf server? Tis is required going forward with 10.13.3. Basic redirect function only wrks with 10.2 machines or older..See image below:

526978581a964849ac496abe9fa4182f

andymallins
New Contributor III

Hi, yes, thats all set and the other Macs are fine, again on 10.13.*

andymallins
New Contributor III

Well upgrading to 10.13.4 sorted enabling additional users but still no key is sent back to JSS!

daniel_hayden
New Contributor III

Does your configuration Profile have the required certificates included? Working with JAMF I had to add the following Certs to the Profile:
Institutional Key 1-2018
JSS FileVault Recovery Key Escrow Certificate
JSS FileVault Recovery Key Redirection Certificate

thomH
New Contributor III

Hello,

Can I chime in with what's probably a noob question, What's the difference between enabling FV via policy VS configuration profile. So far I've only used it via policy.

Thanks,

andymallins
New Contributor III

I just have "Enable Escrow Personal Recovery Key" as it was my understanding that was what was needed for 10.13.*