FileVault Key Escrow

WTIAdmin
New Contributor

Howdy Folks,

My machines already had FileVault2 enabled on them before they were enrolled in JAMF  I have now enrolled them through User-Based enrollment but the personal FileVault keys are not being escrowed in JAMF.   I have the config profile setup created and the policy in Self Service for them to create new keys but I don't see any changes after what looks like a successful update.   After looking at sudo fdesetup details, I show both a key for administrator and the logged in user.  All of our machines are on some version of Big Sur 11.3 or greater.   Any assistance you can provide would be of great help.

2 REPLIES 2

akw0045
New Contributor III

Create a policy to change the FileVault key. This should record the new key in JAMF. 

DBrowning
Valued Contributor II

@WTIAdmin  Take a look over here.  Because jamf doesn't know about the existing key, you need to prompt users for their password in order to escrow a new key.  The Policy payload for reissuing a new key will only work if Jamf knows a valid existing key.