Posted on 07-19-2019 09:28 AM
I used this process to rekey/ key escrow all my Macs on High Sierra and Mojave, and it seems to be working fine.
I am seeing some strange behavior, however. Someone told me they were asked to Rekey/Escrow multiple times. Upon checking the policy logs, I can see a few users were asked to Rekey again a few weeks after they've initially Rekeyed.
I can't seem to find any similarities between the computers that this is happening to.
Has anyone experienced this?
Its almost like the key goes bad or gets corrupted.
Posted on 07-19-2019 02:14 PM
We ran into a situation where a machine would ask daily (our policy to encrypt machines default) to generate a new key.
In our case it appeared something happened to the config profile that escrows the key. We had to remove profiles from the client and re-run the jamf manage (I believe this was it) command so it would pull down a new set of config profiles from the JSS. That solved it for the few we've run into.
Posted on 07-30-2019 12:27 PM
For completeness and other searching, here's what I've found.
I had the policy running Once Per day and changed that to Once Per computer.
It requires a little more active monitoring on your part, but keeps people from being asked to rekey multiple times.
As part of my investigation I made a smart group that detects when a rekey is needed and had it send me emails when the group membership changes. I found that computers are being "randomly" added to and removed from the smart group, and I'm not sure why but I'm also not investigating more.
Here are two examples of when emails were sent to me from computers that seemingly needed the key escrowed, and removed from that group with no user interaction.
Computer 1 Added
Thu, Jul 25, 10:50 AM
Computer 1 Removed
Thu, Jul 25, 11:21 AM
Computer 2 Added
Mon, Jul 29, 9:55 AM
Computer 2 Removed
Mon, Jul 29, 9:56 AM