FileVault key not being escrowed

greenabundance
New Contributor

Hello,

I have a configuration profile set to enable FileVault upon enrollment & escrow the personal recovery key. This is working great, but here & there we had some keys not get escrowed, even after the computer inventory updated several times. I recently enrolled four computers and all four did not get their key escrowed. I am not sure what's going on - has anyone else experienced this? 

Each computer's encryption status is as follows:

FileVault 2 Partition Encryption State: Encrypted
Personal Recovery Key Validation: Unknown
 
The only remedy is to use Jamf's reissue FileVault key script, but that's not an ideal solution for my organization.
12 REPLIES 12

scottb
Honored Contributor

What is wrong with using the Jamf script?  It appears to be working great on 10.14.x Macs up to and including Big Sur here...interested to know why you don't want to use it.

it does work great, however, the whole point of the configuration profile is to enable + escrow the recovery key(?)
If I onboard someone remotely, I have to inform them the prompt is legit and rely on them to respond to it.

Understand...which is why I branded it for my clients with company icon...

For just initial FV2 enable/escrow, the profile only works fine.  Only using the script for missing keys in Jamf.

Yeah hoping to get the profile working more than fine so I have the initial personal recovery keys. Alas. 

One last ? - are you using the login or logout option?  I had a discussion with someone and they had to change to login to get it working OK...I'm using logout at the moment.

I am using login

Maybe give the logout option a shot...best of luck.
Also, make sure (seen this a bunch of times) that there is no other profile with FV settings in there that can be causing troubles...it can get hard to keep track so each profile here is a unique setting and no more.

Scott_Conway
New Contributor III

I am seeing this same exact behavior (seems like ever since around September 2021. Now it seems almost all new enrollments have their key missing inside Jamf. Using a script to re-issue keys isn't a solution. The config profile is supposed to work, but doesn't.

@greenabundance  Did you ever solve this in your environment?

Matt_Ellis
Contributor II

I am now seeing this happen on a lot of my machines, did anyone find a solution to why the config profile doesn't work?

Raph
New Contributor

Hi All i have the same problem in a lot of my machine, did you find something ?

samuellarsson
New Contributor III

I have this happen to about 50% of my machines on enrollment, which is way too frequent. I didn't know about Jamf's reissueKey.sh script so that will help a bit. However, this shouldn't be a problem in the first place, so I'm very curious as to the source of the issue.

This is my thought as well. We are still seeing this happen but cannot determine a root cause. The machines are all setup exactly the same, but this issue happens randomly to some. The re-issue script does work, but it shouldn't be needed in the first place.