Jamf Nation Community

Is it possible to resolve the invalid recovery keys without user intervention?
Would you like to share your workflow?

Thanks, @jtrant.

@GoranPOne10, any workflow that changes the personal recovery key almost certainly requires a local admin account with the secure token attribute.

Or is there a way around that?

We see Unknown if a computer is encrypted, but Jamf Pro doesn't have a FileVault 2 key at all.

I tried making a policy with Disk Encryption set to Issue new Recovery key and scoping to machines with "unknown" keys and that did not seem to escrow the key. Any other tricks to try that don't involve the end user doing something?

@stevenjklein Invalid Recovery Key Validation means the PRK on the Mac doesn't match the PRK stored on Jamf Pro.

How to Issue a new PRK to computers using a policy

@swhps Hi, did you ever find out a good way to get around this? Not sure what macOS you were trying this on, but I'm managing a small fleet of all M1 MacBook Pros running the latest version of Big Sur. There was a recent transition from Jamf Connect to Jamf Pro (before I onboarded my position) and half of the Macs had FileVault 2 already enabled while enrolled in Jamf Connect and the RKs are showing 'unknown' in Jamf Pro Inventory. Thankfully the other half of the Macs never had FileVault 2 enabled yet and those I was able to deploy the configuration and escrow the Personal/Individual RKs successfully. I did the same thing you did with a policy to issue a new RK that did not bring me luck. I'd love to not get the end users involved if possible.