Filevault showing as not encrypted, but the recovery key is set

tyler_petro
New Contributor III

Hi everyone,

I found some previous articles regarding a similar issue of a device being encrypted (shows on the device as encrypted) and JAMF Pro showing it has the Recovery Key. But JAMF Pro also shows it is not encrypted. I have been able to fix this by manually running the command sudo fdesetup changerecovery -personal and then doing a JAMF Recon. I wanted to script this, so I created a script to be run from self-service, but it just spins forever. I believe because it needs me to provide a username and password for an account that has rights to Filevault. How would I prompt for that in my script?

 

#!/bin/sh

# Change the recovery key
sudo fdesetup changerecovery -personal

# Force device to check into Jamf
sudo jamf recon

exit 0

6 REPLIES 6

jamf-42
Valued Contributor II

Best fix is this.. for the FileVault oddness.. escrow-buddy

if thats overkill, I used to just re-issue a FV key via policy - Disk Encryption - Issue New Recovery Key.. and for the most that worked.. scoped to a smart group.. 

tyler_petro
New Contributor III

Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.

jamf-42
Valued Contributor II

obviously test.. but its very simple.. if your using the normal FileVault config profile.. install the binary.. add the smart groups, policies and extension attributes and.. it just works.. 

tyler_petro
New Contributor III

Great, I will give Escrow Buddy a shot. Thank you!

mm2270
Legendary Contributor III

I can attest to the fact that Escrow Buddy works amazingly well. I recently started using it, and it's been great for wrangling in those handful of machines that end up in a weird encryption state to get a valid key escrowed into Jamf.

One thing that's important to understand about its use is that it only works after the user logs out / logs in, after it's been deployed and the command set to capture a new key. And obviously you have to have FV2 key escrow set in a profile on your Macs from Jamf, so it knows to send the newly generated key back to the Jamf Pro console.

But if you have that all in place, it works well, and doesn't require direct user input or nagging (they just have to log into their Mac at some point). I only mention that point about log out/log in, because we all know some Mac users almost never reboot their Macs or even log out of their accounts unless they are forced to. So it's just something to consider when using it.

tyler_petro
New Contributor III

Thank you for all of the information, I will give it a shot. Thanks!