Installing Jamf on pre-File Vault encrypted drive

robby_barnes
New Contributor III

I have recently started using Jamf with our organization. I have about 20 users who have already installed FileVault on their computer. I tried enabling a policy on their computer with our new file vault settings form Jamf. It successfully rebooted their computer and the policy says it was completed, but it does not save the key to the JSS. Is there any way to have it save the recovery key from an existing file vault to JSS without unencrypting the entire disk, then re-encrypting it?

2 ACCEPTED SOLUTIONS

rtrouton
Release Candidate Programs Tester

As long as the Mac in question is running 10.9.x or higher, JAMF has a script available that helps with the process of getting a new recovery key uploaded to the JSS:

https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh

The script is leveraging the fdesetup command line tool's changerecovery function. I have a writeup on fdesetup available from the link below which covers how the changerecovery function works (see the Managing individual and institutional recovery keys section):

https://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/

View solution in original post

GaToRAiD
Contributor II

@robby.barnes, rtrouton's link to the reissueKey is JAMF's recommended way of doing it. It should be done with a config profile that tells the redirection of the key to go to the JSS.

View solution in original post

5 REPLIES 5

pblake
Contributor III

I'm not a FileVault expert, but I think it would defeat the purpose of an encryption key if a binary installed on the computer could just replace it with its own. I think the drive would have to be unencrypted to swap the key with a new one or the encryption is worthless. Just my thoughts.

robby_barnes
New Contributor III

I'm sure there is no way for it to just arbitrarily pull without the authorized user allowing it but I would think you could force it to ask for authorization to have it send the existing code or something. Maybe I'm wrong. I swear I read something about it somewhere though.

rtrouton
Release Candidate Programs Tester

As long as the Mac in question is running 10.9.x or higher, JAMF has a script available that helps with the process of getting a new recovery key uploaded to the JSS:

https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh

The script is leveraging the fdesetup command line tool's changerecovery function. I have a writeup on fdesetup available from the link below which covers how the changerecovery function works (see the Managing individual and institutional recovery keys section):

https://derflounder.wordpress.com/2013/10/22/managing-mavericks-filevault-2-with-fdesetup/

GaToRAiD
Contributor II

@robby.barnes, rtrouton's link to the reissueKey is JAMF's recommended way of doing it. It should be done with a config profile that tells the redirection of the key to go to the JSS.

robby_barnes
New Contributor III

Looks like that is working perfectly. Thanks so much!