Posted on 06-03-2020 12:43 PM
I've seen three different values for FileVault recovery key:
Valid and unknown are obvious, but how does a key become invalid?
Posted on 06-03-2020 01:16 PM
Invalid means validation of the key failed. I have a policy scoped to a smart group containing invalid recovery keys, which rotates it and triggers another validation attempt.
2 weeks ago
How do you validate the key again?
Could you please help?
Posted on 06-03-2020 01:51 PM
Is it possible to resolve the invalid recovery keys without user intervention?
Would you like to share your workflow?
Posted on 06-03-2020 02:56 PM
@GoranPOne10, any workflow that changes the personal recovery key almost certainly requires a local admin account with the secure token attribute.
Or is there a way around that?
Posted on 06-03-2020 05:38 PM
We see Unknown if a computer is encrypted, but Jamf Pro doesn't have a FileVault 2 key at all.
Posted on 11-25-2020 12:44 PM
I tried making a policy with Disk Encryption set to Issue new Recovery key and scoping to machines with "unknown" keys and that did not seem to escrow the key. Any other tricks to try that don't involve the end user doing something?
Posted on 12-21-2021 08:16 AM
Well, a year late, but yes. You need a configuration profile with the right certificate and settings.
Posted on 11-25-2020 04:23 PM
@stevenjklein Invalid Recovery Key Validation means the PRK on the Mac doesn't match the PRK stored on Jamf Pro.
Posted on 05-25-2021 02:23 PM
@swhps Hi, did you ever find out a good way to get around this? Not sure what macOS you were trying this on, but I'm managing a small fleet of all M1 MacBook Pros running the latest version of Big Sur. There was a recent transition from Jamf Connect to Jamf Pro (before I onboarded my position) and half of the Macs had FileVault 2 already enabled while enrolled in Jamf Connect and the RKs are showing 'unknown' in Jamf Pro Inventory. Thankfully the other half of the Macs never had FileVault 2 enabled yet and those I was able to deploy the configuration and escrow the Personal/Individual RKs successfully. I did the same thing you did with a policy to issue a new RK that did not bring me luck. I'd love to not get the end users involved if possible.
Posted on 04-11-2022 08:58 AM
Check out Travelling Tech Guy's blog on this: Escrowing and re-issuing FileVault Personal Recovery Keys - Travelling Tech Guy I found this most useful.