Jamf Nation Community

greenabundance · ‎08-31-2021

Hello,

I have a configuration profile set to enable FileVault upon enrollment & escrow the personal recovery key. This is working great, but here & there we had some keys not get escrowed, even after the computer inventory updated several times. I recently enrolled four computers and all four did not get their key escrowed. I am not sure what's going on - has anyone else experienced this?

Each computer's encryption status is as follows:

FileVault 2 Partition Encryption State: Encrypted

Personal Recovery Key Validation: Unknown

The only remedy is to use Jamf's reissue FileVault key script, but that's not an ideal solution for my organization.

scottb · ‎08-31-2021

What is wrong with using the Jamf script? It appears to be working great on 10.14.x Macs up to and including Big Sur here...interested to know why you don't want to use it.

greenabundance · ‎08-31-2021

it does work great, however, the whole point of the configuration profile is to enable + escrow the recovery key(?)
If I onboard someone remotely, I have to inform them the prompt is legit and rely on them to respond to it.

scottb · ‎08-31-2021

Understand...which is why I branded it for my clients with company icon...

For just initial FV2 enable/escrow, the profile only works fine. Only using the script for missing keys in Jamf.

greenabundance · ‎08-31-2021

Yeah hoping to get the profile working more than fine so I have the initial personal recovery keys. Alas.

scottb · ‎08-31-2021

One last ? - are you using the login or logout option? I had a discussion with someone and they had to change to login to get it working OK...I'm using logout at the moment.

greenabundance · ‎08-31-2021

I am using login

scottb · ‎08-31-2021

Maybe give the logout option a shot...best of luck.
Also, make sure (seen this a bunch of times) that there is no other profile with FV settings in there that can be causing troubles...it can get hard to keep track so each profile here is a unique setting and no more.

Scott_Conway · ‎01-26-2022

I am seeing this same exact behavior (seems like ever since around September 2021. Now it seems almost all new enrollments have their key missing inside Jamf. Using a script to re-issue keys isn't a solution. The config profile is supposed to work, but doesn't.

@greenabundance Did you ever solve this in your environment?

Matt_Ellis · ‎03-16-2022

I am now seeing this happen on a lot of my machines, did anyone find a solution to why the config profile doesn't work?

Raph · ‎03-21-2022

Hi All i have the same problem in a lot of my machine, did you find something ?

samuellarsson · ‎04-26-2022

I have this happen to about 50% of my machines on enrollment, which is way too frequent. I didn't know about Jamf's reissueKey.sh script so that will help a bit. However, this shouldn't be a problem in the first place, so I'm very curious as to the source of the issue.

Scott_Conway · ‎04-26-2022

This is my thought as well. We are still seeing this happen but cannot determine a root cause. The machines are all setup exactly the same, but this issue happens randomly to some. The re-issue script does work, but it shouldn't be needed in the first place.

jim_pollard · ‎05-23-2022

Possibly splitting hairs, but I'm trying to see the difference between using this reissueKey.sh script and using a Disk Encryption Policy that issues a new recovery key. https://docs.jamf.com/10.24.1/jamf-pro/administrator-guide/Issuing_a_New_FileVault_2_Recovery_Key.ht...

michael_madsen · ‎09-04-2023

I'm not sure if this is the same issue. All of our Mac's successfully escrow the personal recovery key when they are enrolled. But we have another policy that is scoped to a smart group ("FileVault 2 Individual Key Validation" is not "Valid" AND "FileVault Enabled" is "On") and every once in a while it seems that some Mac's for whatever reason suddenly falls into this category.

It appears that when this happens, the Personal Recovery Key is actually still there, but "Personal Recovery Key Validation" reports as "Unknown".

blesko93 · ‎02-06-2024

I have been seeing this lately as well. Is it possibly a bug or something with Jamf? From what I have seen, when the device is first enrolled, it grabs the recovery key. But if we would every turn off filevault, re enable via self service policy, logout (forces it back on) and login, it turns it back on but the recovery key says "unknown". Very weird.

jamf-42 · ‎02-06-2024

the FileVault 'valid' 'not valid' issue has been around for.. a while.. think there was something about it being fixed recently.. one of the many PIs .. You can mitigate with policy / smart groups / extension attributes.. but Escrow Buddy.. does it better..

blesko93 · ‎02-06-2024

Is the escrow buddy config profile just the jamf profile that has it built in or is it a custom profile created? I was confused by that on the git hub page

jamf-42 · ‎02-06-2024

the config profile is the one you've already setup.. the binary does some MDM calls that get that to renew.. and this is called by writing out a plist via policy.

Jmichaud93 · ‎09-23-2024

I ran into the same issue. This might be a Bootstrap token issue. Where the current user isn't the Volume owner.

Jamf Nation Community

FileVault key not being escrowed