FileVault2 - Stuck Escrowing recovery key

cskj
New Contributor II

Does anyone have any experience troubleshooting the escrow of the recovery key?

We're seeing this on a handful of laptops out there.

We're on JSS 9.81, OS X 10.11.3.

We have a configuration profile set to configure filevault with an individual key and an institutional certificate.

The kick off of the initial encryption always submits the recovery key back to the JSS and it works and is valid.

However, eventually (I've been testing with a once a day policy) we start running into "Error remediating recovery key: Authentication error." trying to generate a new individual recovery key.

If I run: sudo fdesetup changerecovery -personal -verbose

sh-3.2# fdesetup changerecovery -personal -verbose
fdesetup: use personal recovery key
fdesetup: device path = /
Enter a password for '/', or the recovery key:
Adding personal recovery key.
New personal recovery key = 'XXXX-XXXY-ZZZA-ABCD-1234-1234'
Escrowing recovery key...

And then it just sits there. fdesetup doesn't finish and the only way out is ^C. I tried doing some network monitoring with LittleSnitch but didn't see anything even touching our JSS server. The recovery key it generates above the 'Escrowing recovery key...' is valid, but it never makes it to the JSS.

Turning off the key escrow results in fdesetup completing, but it doesn't escrow the key.

Any thoughts on additional steps I could take?

10 REPLIES 10

kitzy-fastly
New Contributor

@cskj I'm experiencing the exact same issue, and my findings are the same as yours. Have you made any headway with this issue yet?

danny_friedman_
New Contributor III

@cskj I have also experienced this. JAMF recently came to my office and I brought this up, but haven't heard back yet.

The only resolution I have found for this was removing the JAMF framework and then re-recon'ing the computer. Once the computer had the FileVault 2 key escrow profile again, it worked.

I have also tested removing the profile (removing the computer from the Configuration Profile scope), then re-adding it to the Configuration Profile scope. Unfortunately, this also did not resolve the issue (and I am not sure why).

I would love a response from JAMF on this.

kitzy
Contributor III

Unfortunately removing the framework and re-enrolling doesn't work in my environment. I found that decrypting and re-encrypting solves the issue, but this isn't really feasible as a solution for us. We'd also like to get to the bottom of why this is happening in the first place.

danny_friedman_
New Contributor III

@kitzy - That is very interesting. If decrypting and re-encrypting resolves the issue, it implies that the FileVault 2 key redirection profile works, and should have worked all along. That being the case, it sounds like this is probably a relatively complex issue that could be an OS X issue itself.

paul_nichols
New Contributor II
New Contributor II

Hey all,

I've been working on this issue very closely the past week or so and have been able to recreate similar behavior in-house. Introducing network connectivity drops during the policy that reissues a new key and attempts to escrow it to the JSS seemed to then exhibit the behavior on a few test machines. Tentatively, this has been filed as PI-002132 until our product specialists can confirm exactly what's going on. If we're encountering this issue, I strongly urge you to reach out to your JAMF Buddy and create a case.

Thanks!

iJake
Valued Contributor

This is a bug in OS X. We've opened a case with Apple unfortunately I don't have RADAR number to give you. In the meantime you can recover from the issue most times with the below commands or a reboot.

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist (do this until it tells you "Could not find specified service”)

sudo killall FDERecoveryAgent

and then you can issue a new key that will be escrowed.

danny_friedman_
New Contributor III

@iJake - thank you for this, it will definitely help the next time this issue occurs.

@paul.nichols - I'll definitely escallate this up the chain when it occurs next. Thanks!

kitzy
Contributor III

@iJake That works in my testing as well. Thanks for the tip!

brunerd
Contributor

Bumping this thread because apparently it is still an issue in one year later in 2017 with 10.12.6 and JSS 9.100, so it seems likely that indeed it's MDMs fault apart from all those other factors.

In my experience:
• The first changerecovery command works but then any subsequent attempts made will hang.
• Rebooting will cause the the new key to send at startup, even if it was hung during "Escrowing".
• However any additional changerecovery commands will hang, whether rebooting in between or staying up.
• Running WireShark during a hang showed that no outbound connection to the JSS is even attempted.

Running this command once was sufficient to unload FDERecoveryAgent, no killall needed (a big thanks to @iJake )
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist

BTW - we'll see how 10.13 behaves with the new key escrow payload
com.apple.security.FDERecoveryRedirect is being deprecated and com.apple.security.FDERecoveryKeyEscrow is taking it's place (no Jamf Pro 9.100 does not make this MDM payload yet)

donmontalvo
Esteemed Contributor II

@iJake is the kill command a safety net, in case unloading the Launch Daemon doesn't stop the process?

sudo killall FDERecoveryAgent

@brunerd saw the same result, tested on a spare computer and the process disappeared when unloaded.

--
https://donmontalvo.com