Hey Jamf Nation,
I'm at a loss here. I have multiple endpoints that are prompting for recovery keys out of the blue. The only things that have changed recently in our environment are the recent security patch for macOS (that messed with the keychain and Okta Device Trust), as well as a Google Chrome forced patch via patch management (this is less likely the cause, but you never know). Has anyone else experienced this very recently?
I have the exact same issue on my environment and I can't find any explanations... These happen to be absolutely random and once the recovery key is filled the only option is to reboot the device ; no update, nothing. Was about to open a support ticket but if someone as the slightest idea of what's going on I'm all ears.
We've had four of these since Saturday (12/06/2021) and a couple more earlier on in the month.
All of the ones experiencing the issue are running Big Sur. We still have a large proportion on Catalina, none have had this issue.
Three are on 11.2.3, one is on 11.3.1.
Nothing in relation to FileVault has changed recently either.
Going to raise with Jamf now. I'll report back if we get a solution or find a cause.
To anyone following this thread, we believe the issue was isolated to specific set of circumstances:
- Mac computer with Apple silicon
- Automated Device Enrollment with standard user created from the Setup Assistant
- Standard user is the only SecureToken-holder (aka "volume owner")
- FileVault is enabled
- Configuration profile with Software Update payload configured to automatically download available updates. (also possible to trigger with a
softwareupdate -d -a command in place of profile to download the update.)
Once the update is downloaded, the next time the computer is restarted it will boot to the Recovery Assistant. Since the user isn't an administrator with a SecureToken, authentication by personal recovery key (PRK) is requested instead. This appears to affect computers with admin users too, but they are instead prompted to enter their password instead of a recovery key.
If this appears to be the issue you're encountering, please contact support and reference PI-009844 for us to track impact and escalate with Apple. If you are escalating with Apple directly to share impact, you can reference FB9196443 or AppleCare case #101417267535
We are experiencing the same problem and meet most of the circumstances: Automated Device Enrollment computers on Apple Silicon FileVaulted with software update downloaded. We were able to replicate the boot into Recovery Assistant with automated MDM with an admin account created during PreStage Enrollment without any configuration profiles or policies scoped to the computer. Using the Software Update GUI seems to trigger the behavior as well. Was there a resolution to this behavior that didn't involve updating to 11.4? I noticed that there was a change to the recoveryOS framework in 11.4 but I can't determined the mechanisms for the change in behavior.
We faced a similar issues with our M1 Macs.
We have them as Admin during enrollment, and then demote once everything is installed (We run DEPNotify for this), so we dont create an extra "IT Admin" Account.
Users have SecureToken, and config profile as you mentioned above.
Perhaps related. Testing some changes and hopefully this can stop happening.
It helps, but it's still randomly occurring. Our M1 Airs shipped with 11.3.1 and it's occurred on nearly all of those. Those on later builds(11.5 or later) it's barely been an issue. Only one on 11.5.2 that it happened with was a policy with an MDM restart trigger that caused the key prompt to appear. I've removed that until further notice.
Hello beautiful people !
So this a a known issue impacting M1 - Apple Silicon computers with :
* Standard user with the only SecureToken
* Automated Device Enrollment with standard user created from the Setup Assistant
* FileVault enable
This "should" be fixed with the release of Monterey. In the meantime you can disable automatic updates but this isn't very effective to be honest.
We are seeing this issue as well and have been for a few months. We have also been in the process of deploying new M1 laptops to large numbers of users and our help desk gets a number of calls each day about this issue. I just took a look at a number of the assets that have had the issue in the last couple of days and all we running 11.5.2. One was running 11.6. I'm not sure about the theory of it being better on newer OS updates. @florent_bailly How do we know this should be fixed with Monterey ? Our theory is more that this is being triggered after a software update. It seems to be the update mechanism on the M1s, where it needs a secure token and user intervention before it can take place. If we manually update from Software Update, we don't see this problem. This only happens when it is done remotely via MDM.
I have seen similar things for our M1's. It seemed more of an occurring issue when we hade automatic updates On via config profiles.
Once turned off, it was less frequent, but happened randomly. We moved to an MDM / API solution which seems to run more stable now.
Also had a conversation with Apple and monterey should adress this (hopefully).
Starting to see the same here. Two on 11.5.2, but it's occurring more frequently on those running 11.3.1 for me. Auto updates is turned off(which makes me fail at two things with the CIS benchmark), I've stopped using MDM to push updates and no longer have restarts in policies.
It's much too random. I don't differ setups between myself, techs, faculty, staff etc and mine was first out of the gate and it's never done it. I've had a dozen more that it never occurred on then I'll have a handful that it happened on at least three times. It's maddening and makes me wonder whether it was the right move to make the user account standard vs admin.
Did we get to the bottom of this? I've been out of the loop a little while and just came across this on an 11.6 machine, looking at my environment I'd say 1st user created as a standard user is the issue, I personally opted for demotion after the 1st day when I deployed this setup before whereas the setup I have inherited creates standard off the bat and I wonder if this is the issue.
Since my last post I've had one instance of this after forcing everyone to 11.5 and higher. No instances on 12.0.1 either but I'm not knocking on wood yet as it's been too soon.
I've also modified my pre-stages to create administrator accounts and them demote them using SAPs' privileges app.