Posted on 09-12-2017 09:53 AM
So I'm excited to see some of the new features in 9.101, but specifically the items around FileVault on High Sierra has given me some areas of concern. (Either by a lack of understanding or confusion)
So the release notes says this about FV2 and Configuration Profiles:
New options have been added to the FileVault tab on the Security & Privacy payload to enable and manage the personal FileVault recovery key. In addition, you can use the new Recovery Key Encryption Method option to choose the method the JSS will use for encrypting and decrypting the personal recovery key. For more information, see the following Knowledge Base article: Configuration Profiles Reference. Note: On macOS 10.13 or later, you must use these options instead of the FileVault Recovery Key Redirection payload which is not supported on macOS 10.13. However, you must continue to use the FileVault Recovery Key Redirection payload to manage the personal FileVault recovery key for computers with macOS 10.12 or earlier.
I've been using a Policy to configure Disk Encryption with an individual key and a re-issue FV2 key script by jamf (link) to issue a new individual key for users who encrypted prior to Jamf enrollment. We also use a configuration profile to redirect those FV2 key to the JSS.
So I guess I have two questions from this then
1. Does this new change for High Sierra require that we issue FV2 keys only by config profiles now?
2. With the new config profile, will I be able to report a new user's existing FV2 key? I don't believe this was possible before, which is why I have the re-issue FV2 key script
Posted on 09-12-2017 01:26 PM
@stevesmith This really just touches on how recovery key redirects work. Use the new profile for 10.13 machines, use the old redirect for 10.12 and earlier machines. Your workflow doesn't really change. If you have existing FV2 users, you still need to regenerate a new recovery key for it to get escrowed to the JSS.