macOS Randomly Prompting for recovery key

lukasindre
New Contributor III

Hey Jamf Nation,

I'm at a loss here. I have multiple endpoints that are prompting for recovery keys out of the blue. The only things that have changed recently in our environment are the recent security patch for macOS (that messed with the keychain and Okta Device Trust), as well as a Google Chrome forced patch via patch management (this is less likely the cause, but you never know). Has anyone else experienced this very recently?

29 REPLIES 29

florent_bailly
New Contributor II

Hey @lukasindre

I have the exact same issue on my environment and I can't find any explanations... These happen to be absolutely random and once the recovery key is filled the only option is to reboot the device ; no update, nothing. Was about to open a support ticket but if someone as the slightest idea of what's going on I'm all ears.

tfenna
New Contributor II

We've had four of these since Saturday (12/06/2021) and a couple more earlier on in the month.

All of the ones experiencing the issue are running Big Sur. We still have a large proportion on Catalina, none have had this issue.
Three are on 11.2.3, one is on 11.3.1.
Nothing in relation to FileVault has changed recently either.

Going to raise with Jamf now. I'll report back if we get a solution or find a cause.

fredrik_virding
Contributor

Hi,

I had similar issues, but after 11.4 i dont see these issues.
M1:s were the prime suspect here.

lukasindre
New Contributor III

Jamf support didn't have an answer when i raised the issue either. They want me to turn on authenticated restart for all my jamf policies that have restart options configured. @fredrik.virding I'll try to move all my m1s to 11.4 and hope that works

fredrik_virding
Contributor

@lukasindre In my testing at least, it seems to happen when it tries to make any form of OS changes, so possible something with a token or so, or just "apple magic".

mark_buffington
Contributor
Contributor

To anyone following this thread, we believe the issue was isolated to specific set of circumstances:
- Mac computer with Apple silicon
- Automated Device Enrollment with standard user created from the Setup Assistant
- Standard user is the only SecureToken-holder (aka "volume owner")
- FileVault is enabled
- Configuration profile with Software Update payload configured to automatically download available updates. (also possible to trigger with a softwareupdate -d -a command in place of profile to download the update.)

Once the update is downloaded, the next time the computer is restarted it will boot to the Recovery Assistant. Since the user isn't an administrator with a SecureToken, authentication by personal recovery key (PRK) is requested instead. This appears to affect computers with admin users too, but they are instead prompted to enter their password instead of a recovery key.

If this appears to be the issue you're encountering, please contact support and reference PI-009844 for us to track impact and escalate with Apple. If you are escalating with Apple directly to share impact, you can reference FB9196443 or AppleCare case #101417267535

We are experiencing the same problem and meet most of the circumstances: Automated Device Enrollment computers on Apple Silicon FileVaulted with software update downloaded. We were able to replicate the boot into Recovery Assistant with automated MDM with an admin account created during PreStage Enrollment without any configuration profiles or policies scoped to the computer. Using the Software Update GUI seems to trigger the behavior as well. Was there a resolution to this behavior that didn't involve updating to 11.4? I noticed that there was a change to the recoveryOS framework in 11.4 but I can't determined the mechanisms for the change in behavior. 

From the AppleCare response as well as testing, this issue appears resolved in Monterey betas. 

Thanks! 

fredrik_virding
Contributor

Hi @mark.buffington

We faced a similar issues with our M1 Macs.

We have them as Admin during enrollment, and then demote once everything is installed (We run DEPNotify for this), so we dont create an extra "IT Admin" Account.

Users have SecureToken, and config profile as you mentioned above.

Perhaps related. Testing some changes and hopefully this can stop happening.

how does this alleviate the issue? if i am understanding it anytime an OS update is being applied and only a standard user exists macOS will require the recovery token on reboot?

I think as mentioned above, a few updates past 11.5 and it hasnt been an issue so far.

I recall mentioning this to Apple and it is something that should be resolved in a future update.

fthomas152
New Contributor

Seeing this in our environment too. Exactly the scenario described above; Automated enrollment, apple silicon, standard user filevault.

 

Going to turn of my auto update OS profile for the apple silicon macs, anyone seen if this helps or not?

It helps, but it's still randomly occurring. Our M1 Airs shipped with 11.3.1 and it's occurred on nearly all of those. Those on later builds(11.5 or later) it's barely been an issue. Only one on 11.5.2 that it happened with was a policy with an MDM restart trigger that caused the key prompt to appear. I've removed that until further notice.

florent_bailly
New Contributor II

Hello beautiful people ! 

So this a a known issue impacting M1 - Apple Silicon computers with : 
Standard user with the only SecureToken
Automated Device Enrollment with standard user created from the Setup Assistant
* FileVault enable

This "should" be fixed with the release of Monterey. In the meantime you can disable automatic updates but this isn't very effective to be honest. 

rcorbin
Contributor II

We are seeing this issue as well and have been for a few months. We have also been in the process of deploying new M1 laptops to large numbers of users and our help desk gets a number of calls each day about this issue. I just took a look at a number of the assets that have had the issue in the last couple of days and all we running 11.5.2. One was running 11.6. I'm not sure about the theory of it being better on newer OS updates. @florent_bailly How do we know this should be fixed with Monterey ? Our theory is more that this is being triggered after a software update. It seems to be the update mechanism on the M1s, where it needs a secure token and user intervention before it can take place. If we manually update from Software Update, we don't see this problem. This only happens when it is done remotely via MDM.

Hi,

I have seen similar things for our M1's. It seemed more of an occurring issue when we hade automatic updates On via config profiles. 

Once turned off, it was less frequent, but happened randomly. We moved to an MDM / API solution which seems to run more stable now.

 

Also had a conversation with Apple and monterey should adress this (hopefully).

Hey @rcorbin 👋

I'm just quoting Jamf Support Team here. I opened a ticket regarding this, that was their answer. 
We cannot be 100% sure it will be resolved with Monterey 😕

Starting to see the same here. Two on 11.5.2, but it's occurring more frequently on those running 11.3.1 for me. Auto updates is turned off(which makes me fail at two things with the CIS benchmark), I've stopped using MDM to push updates and no longer have restarts in policies. 

It's much too random. I don't differ setups between myself, techs, faculty, staff etc and mine was first out of the gate and it's never done it. I've had a dozen more that it never occurred on then I'll have a handful that it happened on at least three times. It's maddening and makes me wonder whether it was the right move to make the user account standard vs admin.

tstott
New Contributor II

Did we get to the bottom of this?  I've been out of the loop a little while and just came across this on an 11.6 machine,  looking at my environment I'd say 1st user created as a standard user is the issue,  I personally opted for demotion after the 1st day when I deployed this setup before whereas the setup I have inherited creates standard off the bat and I wonder if this is the issue. 

mainelysteve
Valued Contributor

Since my last post I've had one instance of this after forcing everyone to 11.5 and higher. No instances on 12.0.1 either but I'm not knocking on wood yet as it's been too soon.

I've also modified my pre-stages to create administrator accounts and them demote them using SAPs' privileges app.

rebecca_latimer
New Contributor III

We are still seeing this issue here on 11.6 with automatic updates turned off. Same setup as everyone else here - standard user, FileVault on, M1 MacBook Airs. I haven't seen the issue on Monterey yet, but we have very few devices running it right now.

florent_bailly
New Contributor II

I already have about 100 new devices on Monterey in production and no issue yet, and to be clear I didn't change a thing on my environment so maybe it is fixed with macOS 12... 
I'll keep you posted.

bfreezy
New Contributor

I'm seeing this issue across our M1 devices running 12.0.1.

 

* Admin user with the only SecureToken
Automated Device Enrollment
* FileVault enable

* Software Update profile to download updates in background

rcorbin
Contributor II

That's sad to hear @bfreezy  I was thinking this was cleared up on Monterey. I had thought with some of the later Big Sur revisions it got better.

Agreed. I've flipped our Software Update profile to stop downloading updates in the background. Will likely open up a case with Apple if things don't improve.

MTrot1234
New Contributor

This just happened to my wife’s work issued computer. It restarted on its own. Now it’s asking for a recovery key that she NEVER generated, and to her knowledge, no one generated for her. Suffice to say, she has no recovery key. What is the solution?

The key is automatically generated and escrowed with the jamf server. The
jamf admin can retrieve it and sent it to her.

tstott
New Contributor II

Almost certainly if it’s a work computer it will be encrypted, and she will need to contact her IT dept for it.