Jamf Nation Community

@SeanA you're wanted in ER...

I can easily use the fdesetup command and disable filevault, and once it decrypts then apply the filevault configuration, but i wanna see if creating a new individual recovery key is possible while its currently encrypted

@tcandela @mccallister

It’s possible to do with fdesetup by using

fdesetup changerecovery -personal

And assuming you have a proper redirect config profile it will add the key to that computer in the JSS.

The reason why they probably sent you to a github repo with scripts is because for that to work you have to know and input a password of a FileVault user or current recovery key for the computer. Since this is a situation where you don’t know the current recovery key if you want to script/automate this as much as possible, you have to prompt the user for their password so you can feed it into fdesetup. That’s why those scripts tend to be fairly complex.

https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh

I would assume these macs where encrypted before been enrollled into Jamf.
Use this script and deploy it via a policy scoped to computers missing keys or with invalid keys

Make sure to also deploy Filevault escrow profiles, keep in mind 10.13.x escrow is under security settings payload and not the usual filevault escrow payload.
Load each profiles UUID into the script and voila.

The user will be prompted to enter their password and that info will be used to spin up a new key and a recon will caputre it to the JSS.
side note, the current security update from apple is breaking recon so often on macs that still haven't ran it you will have recon issues.

https://github.com/homebysix/jss-filevault-reissue

I've tried using the homebysix script, but at the first prompt, after clicking next it almost instantly says I've entered the wrong password 5 times, like as if the enter key was stuck or something. Here's the output:

Alerting user admin about incoming password prompt...
Prompting admin for their Mac password...
Prompting admin for their Mac password (attempt 2)...
Prompting admin for their Mac password (attempt 3)...
Prompting admin for their Mac password (attempt 4)...
Prompting admin for their Mac password (attempt 5)...
[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message...

        Error running script: return code was 1.
        Checking for patches...
        No patch policies were found.

Can't seem to figure out how to fix this. Filevault management on Sierra was already a pain, but on High Sierra it's the worst thing ever. It's such a glaring hole in Jamf's capabilities, I don't understand why there is not more effort put in to making Jamf at least somewhat capable of managing Filevault. You're left to figure it out on your own with third party scripts, extension attributes, etc. Frustrating.

Hi! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that might be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!