FV2: Issue new recovery key not working...

New Contributor

My JSS is on 9.6.2. Hoping to reset a few FV2 recovery keys for some Maverick/Yosemite clients.

I created a policy and targeted the devices that had a mismatched key.

Action: Issue new recovery key.
Recovery Key Type: Institutional
Disk Encryption Configuration for Institutional Key: <Company> Workstation Encryption
Require FileVault 2: At next login

I had this run on a trigger and executed it on my test box. The out put from my JSS reads the following:

external image link

Has anyone else seen this before?



Is your management account enabled in FileVault 2? That's one of the requirements for Casper to be able to update the recovery key.

Contributor III

In addition to making sure that the management account is enabled for FileVault, like @wyip mentioned, if the individual encryption key was not added with a configuration profile or an encryption configuration, and/or you don't have an institutional Filevault Key installed - then you will be unable to replace the individual key. How was FileVault initially enabled on the test box that failed?

New Contributor

Regarding the management account: I am using user-initiated enrollment and as part of this I have the management account added. Then I have a policy that runs against a smart group that has managed computers with out FV2 enabled. That policy has the following actions:

Disk Encryption
Action: Apply Disk Encryption Configuration
Disk Encryption Configuration: <company> Workstation Encryption
Require FileVault 2: At next login

I don't see where I can specify that the management account is enabled for FileVault 2. Under User-Initiated Enrollment there doesn't appear to be an option for this. I think that also may be a concern when users start their computers. Will the management account be listed?

I do have an institutional key installed and I have successfully tested the recovery key and institutional key stored in the JSS on systems that were previously encrypted with the JSS.

I have 2 scenarios that I am testing the Issue New Recover Key feature with.

  1. The first deals with a Mac that was enrolled and encrypted with our institutional key, but was accidentally removed and re-added to the JSS. Thus the recovery key is no longer visible for our help desk.
  2. The second deals with a Mac that was previously encrypted manually be the user with their local account. Now we have these Macs enrolled in our JSS and would like to take control of FileVault encryption.

New Contributor

I now see that under Disk Encryption Configurations that there is an option to Enable FileVault 2 User. In my situation this has been set to Current or next user. This was done to ensure the active user can sign back in to their computer using their own credentials to unlock the FV2 volume.

It makes perfect sense that the management account needs to be enabled for FV2 in order to update the recovery key. Soooooo....

  1. What's the best way to retroactively enable the management account for FV2?
  2. Is this going to present users with our hidden management account at login??

Legendary Contributor III

If you enable the management account for FV2, it will show up at the FileVault preboot screen user list, as you asked about above. This is the primary reason we won't do it here. Until/If Apple changes or adds the ability to force the FV2 boot screen to username & password fields, instead of List of users, we only enable the main user of the system, not our management account.

New Contributor

@ mm2270 - Thank you for confirming. Glad I am not the only one with that concern.

Knowing all of this now, am I unable to re-issue new FV2 keys?

Valued Contributor

@JAMF_noob When we have had to get machines that were FV enabled before Casper to have new keys, we have used JAMF's script to do it. Since the key can only be re-issued when prompted by a user who is already FV enabled, it will require the user to type in their password. You need to do two steps:

1.) Set up a computer-levelconfiguration profile with a FileVault Key Redirect payload and have it set to "Automatically redirect recovery keys to the JSS"


2.) Add this script to the JSS https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh and deploy it however it makes sense for you. We did it with Self Service. The user gets prompted for their password, they enter, it runs the command to re-issue a key, the key gets re-directed to the JSS.

New Contributor

Thank you Chris. I'll give this a shot. Much appreciated.

New Contributor

I ran this through its paces and it worked like a champ. Thank you for the tip Chris!

Contributor II

@chriscollins Just stumbled across this. I am hoping it will solve my issue.

I got a question.
Does this script handle spaces in a password?
I'm trying it but I'm getting this in the log of the Policy:

[STEP 1 of 4]
Executing Policy ams.Re Issue Encryption Key
[STEP 2 of 4]
Running script ams.ReIssueEncryptionKey...
Script exit code: 0
Script result: Prompting help for their login password.
Issuing new recovery key
missing close-brace
while executing
"send {I"
couldn't read file "need": no such file or directory
[STEP 3 of 4]
[STEP 4 of 4]

Contributor II


Just verified, it works if there are no spaces in the password.
Any chance your script can be updated to accommodate spaces in passwords?

Thanks in advance! And great solution!!