- Jamf Nation Community
- Products
- Jamf Pro
- Re: Filevault showing as not encrypted, but the re...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Filevault showing as not encrypted, but the recovery key is set
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-06-2024 08:47 AM
Hi everyone,
I found some previous articles regarding a similar issue of a device being encrypted (shows on the device as encrypted) and JAMF Pro showing it has the Recovery Key. But JAMF Pro also shows it is not encrypted. I have been able to fix this by manually running the command sudo fdesetup changerecovery -personal and then doing a JAMF Recon. I wanted to script this, so I created a script to be run from self-service, but it just spins forever. I believe because it needs me to provide a username and password for an account that has rights to Filevault. How would I prompt for that in my script?
#!/bin/sh
# Change the recovery key
sudo fdesetup changerecovery -personal
# Force device to check into Jamf
sudo jamf recon
exit 0
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2024 08:55 AM - edited 02-06-2024 08:58 AM
Best fix is this.. for the FileVault oddness.. escrow-buddy
if thats overkill, I used to just re-issue a FV key via policy - Disk Encryption - Issue New Recovery Key.. and for the most that worked.. scoped to a smart group..
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-06-2024 08:59 AM
Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-06-2024 09:07 AM
obviously test.. but its very simple.. if your using the normal FileVault config profile.. install the binary.. add the smart groups, policies and extension attributes and.. it just works..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-07-2024 09:39 AM
Great, I will give Escrow Buddy a shot. Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-07-2024 08:51 AM
I can attest to the fact that Escrow Buddy works amazingly well. I recently started using it, and it's been great for wrangling in those handful of machines that end up in a weird encryption state to get a valid key escrowed into Jamf.
One thing that's important to understand about its use is that it only works after the user logs out / logs in, after it's been deployed and the command set to capture a new key. And obviously you have to have FV2 key escrow set in a profile on your Macs from Jamf, so it knows to send the newly generated key back to the Jamf Pro console.
But if you have that all in place, it works well, and doesn't require direct user input or nagging (they just have to log into their Mac at some point). I only mention that point about log out/log in, because we all know some Mac users almost never reboot their Macs or even log out of their accounts unless they are forced to. So it's just something to consider when using it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-07-2024 09:39 AM
Thank you for all of the information, I will give it a shot. Thanks!
