Help

Forcing a FileVault key to rest.

Go to solution
mrrobertbuss
New Contributor III

Posted on ‎12-15-2023 02:50 PM

I have 2 macs that do not have the FileVault key showing in their Disk Encryption page. I set up a policy to renew these keys. When it was done executing I ran sudo jamf policy command and this error popped up. What did I miss in the policy that prevented the authentication error? Any help greatly appreciated!  Screenshot 2023-12-15 at 2.42.25 PM.pngScreenshot 2023-12-15 at 2.46.25 PM.pngImage 12-15-23 at 8.43 AM.jpg

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
mm2270
Legendary Contributor III

Posted on ‎12-18-2023 05:07 AM

I may be wrong about this, since I haven't personally used this feature, but I believe to use the "Issue New Recovery Key" option in a policy, Jamf Pro already has to have a valid Recovery key escrowed for the Mac. Basically, to cycle or refresh a FV2 recovery key, you need something to authenticate with, whether that's a user entering their FV2 enabled account password, or an existing Recovery Key for that Mac. The macOS will not allow you to simply set up a new PRK unless you can prove to it that you have authority to unlock the Mac. So it requires some type of authentication. Since you said you were trying to do this on a Mac that was missing the PRK, you'll probably need to use a scripted method to get a new key escrowed instead, which can prompt a user to enter their (FV2) password for authentication.

Take a look at this script - https://github.com/homebysix/jss-filevault-reissue

View solution in original post

Go to solution
sharriston
Contributor III

‎12-18-2023 06:51 AM - edited ‎12-18-2023 06:51 AM

Take a look at Escrow Buddy for automating it in your environment. The easiest fix if you have the machine in front of you would be to first make sure the computer has the redirect config profile on it (meaning when a new key is issued and recon is run the key will be escrowed) then just run:

sudo fdesetup changerecovery -personal

 Enter an admin user and their password and the new key will be displayed then just do a:

 

sudo jamf recon

 

 

 

View solution in original post

4 REPLIES 4

Go to solution
mrrobertbuss
New Contributor III

Posted on ‎12-15-2023 02:51 PM

Typo in the first line - need fv to reset not rest. 

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎12-18-2023 05:07 AM

I may be wrong about this, since I haven't personally used this feature, but I believe to use the "Issue New Recovery Key" option in a policy, Jamf Pro already has to have a valid Recovery key escrowed for the Mac. Basically, to cycle or refresh a FV2 recovery key, you need something to authenticate with, whether that's a user entering their FV2 enabled account password, or an existing Recovery Key for that Mac. The macOS will not allow you to simply set up a new PRK unless you can prove to it that you have authority to unlock the Mac. So it requires some type of authentication. Since you said you were trying to do this on a Mac that was missing the PRK, you'll probably need to use a scripted method to get a new key escrowed instead, which can prompt a user to enter their (FV2) password for authentication.

Take a look at this script - https://github.com/homebysix/jss-filevault-reissue

Go to solution
sharriston
Contributor III

‎12-18-2023 06:51 AM - edited ‎12-18-2023 06:51 AM

Take a look at Escrow Buddy for automating it in your environment. The easiest fix if you have the machine in front of you would be to first make sure the computer has the redirect config profile on it (meaning when a new key is issued and recon is run the key will be escrowed) then just run:

sudo fdesetup changerecovery -personal

 Enter an admin user and their password and the new key will be displayed then just do a:

 

sudo jamf recon

 

 

 

Go to solution
mrrobertbuss
New Contributor III

Posted on ‎12-18-2023 04:35 PM

Thank you both for the quick responses. For me, both solutions provided were correct. 

0 Kudos