Jamf Pro showing disk not encrypted but showing recovery key

jonna1006
Contributor

I am using the Jamf Pro native vault configuration to escrow recovery key to Jamf Cloud after enabling vault. But recently some of machines I am managing showing not encrypted but I did receive the recovery key, while 1 MacBook Pro (M1) will not show "encrypted" and "recovery key" no matter what I tried. Can you anyone help?

Screen Shot 2022-02-15 at 11.45.01 AM.pngScreen Shot 2022-02-15 at 11.46.25 AM.png

1 ACCEPTED SOLUTION

You sure can, yes. Jamf has a great page that details it: https://docs.jamf.com/10.27.0/jamf-pro/administrator-guide/Scripts.html . Regarding the actual script, could be as simple as:

#!/bin/sh

# Change the recovery key
sudo fdesetup changerecovery -personal

# Force device to check into Jamf
sudo jamf recon

exit 0

View solution in original post

7 REPLIES 7

junjishimazaki
Valued Contributor

On the mac, have you tried sudo jamf recon? If that doesn't work, you can try creating another recovery key and reconing it back to Jamf.

On the mac in terminal: sudo fdesetup changerecovery -personal

This will prompt for a user that has a secure token and the password. Then it will generate a new key. once it does, run sudo jamf recon.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Is there anyway to push script to achieve this? I currently have 3 MacBook Pro that will not show as "encrypted" and escrow recovery key to Jamf.

You sure can, yes. Jamf has a great page that details it: https://docs.jamf.com/10.27.0/jamf-pro/administrator-guide/Scripts.html . Regarding the actual script, could be as simple as:

#!/bin/sh

# Change the recovery key
sudo fdesetup changerecovery -personal

# Force device to check into Jamf
sudo jamf recon

exit 0

I confirm that above script working like magic, thank you so much for your help!!

Matt_Roy93
Contributor

I am experiencing a similar issue in our environment, it seems the profile to encrypt the drive may have ran and cached a key in the past but when the device was re-enrolled, re-imaged, etc. it did not apply the actual encryption.  I would try deleting the device and re enrolling this if possible to remediate.

Matt_Roy93
Contributor

If you push an additional profile for FV2 it will fail over and over because a key is present already.