FileVault + Jamf Pro / macOS Big Sur / M1 silicon / Escrow

walt
Contributor III

I have a couple of questions regarding Jamf, Big Sur, M1's and FileVault

  • Have there been any changes to configuring FileVault in Jamf?

  • What is the process to enable FileVault for computers using Big Sur?

  • Anything noticeably different with M1 Apple devices? Or is a separate FileVault configuration required?

  • How are FileVault keys escrowed for computers running macOS Big Sur? The homebysix script/process does not appear to work for anything in our fleet after 10.15.7.

7 REPLIES 7

jchaijasmsak
New Contributor

the filevault setting up in configprofile at jamfconnect won't kicked in on the new M1 anymore

brobbins
New Contributor II

Yeah, we are wondering the same thing. What is the process to prepare a machine for the next student when the machine was filevaulted for the first user? The only reason we had to filevault was so we could prevent a student from being able to boot into recovery options and wipe the device (all without any authentication whatsoever).

SCCM
New Contributor III

@jchaijasmsak a signed jamf connect login profile created using the jamf connect configuration tool seem to enable filevault if you set it up using the guide (on azure it does anyway). @brobbins you cant prevent users from wiping devices without the recovery key on m1 devices, but it shouldnt matter anyway if your devices are in DEP. Once they are wiped and rebuilt it should go back to your company image?

BRoper
New Contributor III

For M1 Macs that are on Big Sur without FileVault 2 enabled yet: I followed this document creating the configuration profile (for escrow) plus the policy (to deploy), and it works like a charm. Our decision was Personal Recovery Key. Great process. https://www.jamf.com/resources/technical-papers/administering-filevault-on-macos-10-14-or-later-with...
The issue I'm coming across is that with a transition from Jamf Connect to Jamf Pro (that took place without me), half of the Mac fleet already had FileVault 2 enabled in Jamf Connect. They show FV2 is enabled/encrypted in Jamf Pro but they have an 'unknown' recovery key. I need to re-issue a new Personal/Individual Recovery Key for these Macs in Jamf Pro and of course escrow it. The policy to re-issue a Recovery Key alone does not work for this scenario. Wondering if I have to turn FV off on these Macs and then turn it back on involving end user interaction. The homebysix script/process is not an option because it highlights at the top, "The 'redirect FileVault keys to JSS' configuration profile must already be deployed in order for this script to work correctly", and that 'Configure FileVault Recovery Key Redirection' payload in Jamf Pro highlights to use this section to define settings for FileVault recovery key redirection (macOS 10.9–10.12 only). Sadly does not work for Big Sur. These Macs do not have "management accounts" either so even if I make one, I cannot check off the box to make the account an FV2 enabled user anymore as of 10.13. Anyone's input or experience with this is appreciated.

SCCM
New Contributor III

@BRoper could you not create a new policy to the machines with no key? on jamf could under disk encryption you have a action to issue new recovery key. And if you have a escrow policy in place that should write back? ive seen it put the info back after a inventory try adding that to the reissue policy, you shouldnt need to disable / decrypt it

Tribruin
Contributor III
Contributor III

@BRoper Since you don't have an existing PRK nor do you have the Jamf Management account, you can't use the "Reissue Personal Recovery Key" policy. However, you should still be able to use one of re-issue scripts (which will require the user to enter their password). Just make sure that you have a Configuration Profile with the "Enable Escrow Personal Recovery Key" option checked in the Security and Privacy payload. As long as that profile is on the computer when the PRK is re-issued, Jamf will collect it after an inventory (or maybe two.)

Check this blog out for some additional information:
Escrowing and re-issuing-FileVault-PRK

BRoper
New Contributor III

@RBlount Thank you! This is what it boils down to for me. I'll need to prompt the user for their info and go with this method. I appreciate you sharing the article as well. A little later after I posted in this forum, I came across it too. Super helpful. Thanks again for your insight on this.