I've seen three different values for FileVault recovery key:
- valid
- unknown
- invalid
Valid and unknown are obvious, but how does a key become invalid?
Page 1 / 1
Invalid means validation of the key failed. I have a policy scoped to a smart group containing invalid recovery keys, which rotates it and triggers another validation attempt.
Is it possible to resolve the invalid recovery keys without user intervention?
Would you like to share your workflow?
Thanks, @jtrant.
@GoranPOne10, any workflow that changes the personal recovery key almost certainly requires a local admin account with the secure token attribute.
Or is there a way around that?
We see Unknown if a computer is encrypted, but Jamf Pro doesn't have a FileVault 2 key at all.
I tried making a policy with Disk Encryption set to Issue new Recovery key and scoping to machines with "unknown" keys and that did not seem to escrow the key. Any other tricks to try that don't involve the end user doing something?
@stevenjklein Invalid Recovery Key Validation means the PRK on the Mac doesn't match the PRK stored on Jamf Pro.
How to Issue a new PRK to computers using a policy
@swhps Hi, did you ever find out a good way to get around this? Not sure what macOS you were trying this on, but I'm managing a small fleet of all M1 MacBook Pros running the latest version of Big Sur. There was a recent transition from Jamf Connect to Jamf Pro (before I onboarded my position) and half of the Macs had FileVault 2 already enabled while enrolled in Jamf Connect and the RKs are showing 'unknown' in Jamf Pro Inventory. Thankfully the other half of the Macs never had FileVault 2 enabled yet and those I was able to deploy the configuration and escrow the Personal/Individual RKs successfully. I did the same thing you did with a policy to issue a new RK that did not bring me luck. I'd love to not get the end users involved if possible.
I tried making a policy with Disk Encryption set to Issue new Recovery key and scoping to machines with "unknown" keys and that did not seem to escrow the key. Any other tricks to try that don't involve the end user doing something?
Well, a year late, but yes. You need a configuration profile with the right certificate and settings.
@swhps Hi, did you ever find out a good way to get around this? Not sure what macOS you were trying this on, but I'm managing a small fleet of all M1 MacBook Pros running the latest version of Big Sur. There was a recent transition from Jamf Connect to Jamf Pro (before I onboarded my position) and half of the Macs had FileVault 2 already enabled while enrolled in Jamf Connect and the RKs are showing 'unknown' in Jamf Pro Inventory. Thankfully the other half of the Macs never had FileVault 2 enabled yet and those I was able to deploy the configuration and escrow the Personal/Individual RKs successfully. I did the same thing you did with a policy to issue a new RK that did not bring me luck. I'd love to not get the end users involved if possible.
Check out Travelling Tech Guy's blog on this: Escrowing and re-issuing FileVault Personal Recovery Keys - Travelling Tech Guy I found this most useful.
Invalid means validation of the key failed. I have a policy scoped to a smart group containing invalid recovery keys, which rotates it and triggers another validation attempt.
Hi,
How do you validate the key again?
Could you please help?
Best regards!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.