Posted on 06-07-2021 10:54 AM
Hey Jamf Nation,
I'm at a loss here. I have multiple endpoints that are prompting for recovery keys out of the blue. The only things that have changed recently in our environment are the recent security patch for macOS (that messed with the keychain and Okta Device Trust), as well as a Google Chrome forced patch via patch management (this is less likely the cause, but you never know). Has anyone else experienced this very recently?
Posted on 06-11-2021 05:05 AM
I have the exact same issue on my environment and I can't find any explanations... These happen to be absolutely random and once the recovery key is filled the only option is to reboot the device ; no update, nothing. Was about to open a support ticket but if someone as the slightest idea of what's going on I'm all ears.
Posted on 06-14-2021 03:06 AM
We've had four of these since Saturday (12/06/2021) and a couple more earlier on in the month.
All of the ones experiencing the issue are running Big Sur. We still have a large proportion on Catalina, none have had this issue.
Three are on 11.2.3, one is on 11.3.1.
Nothing in relation to FileVault has changed recently either.
Going to raise with Jamf now. I'll report back if we get a solution or find a cause.
Posted on 06-14-2021 03:53 AM
I had similar issues, but after 11.4 i dont see these issues.
M1:s were the prime suspect here.
Posted on 06-14-2021 06:29 AM
Jamf support didn't have an answer when i raised the issue either. They want me to turn on authenticated restart for all my jamf policies that have restart options configured. @fredrik.virding I'll try to move all my m1s to 11.4 and hope that works
Posted on 06-14-2021 06:50 AM
@lukasindre In my testing at least, it seems to happen when it tries to make any form of OS changes, so possible something with a token or so, or just "apple magic".
Posted on 06-25-2021 02:56 PM
To anyone following this thread, we believe the issue was isolated to specific set of circumstances:
- Mac computer with Apple silicon
- Automated Device Enrollment with standard user created from the Setup Assistant
- Standard user is the only SecureToken-holder (aka "volume owner")
- FileVault is enabled
- Configuration profile with Software Update payload configured to automatically download available updates. (also possible to trigger with a
softwareupdate -d -a command in place of profile to download the update.)
Once the update is downloaded, the next time the computer is restarted it will boot to the Recovery Assistant. Since the user isn't an administrator with a SecureToken, authentication by personal recovery key (PRK) is requested instead. This appears to affect computers with admin users too, but they are instead prompted to enter their password instead of a recovery key.
If this appears to be the issue you're encountering, please contact support and reference PI-009844 for us to track impact and escalate with Apple. If you are escalating with Apple directly to share impact, you can reference FB9196443 or AppleCare case #101417267535
Posted on 08-20-2021 01:19 PM
We are experiencing the same problem and meet most of the circumstances: Automated Device Enrollment computers on Apple Silicon FileVaulted with software update downloaded. We were able to replicate the boot into Recovery Assistant with automated MDM with an admin account created during PreStage Enrollment without any configuration profiles or policies scoped to the computer. Using the Software Update GUI seems to trigger the behavior as well. Was there a resolution to this behavior that didn't involve updating to 11.4? I noticed that there was a change to the recoveryOS framework in 11.4 but I can't determined the mechanisms for the change in behavior.
Posted on 08-20-2021 01:22 PM
From the AppleCare response as well as testing, this issue appears resolved in Monterey betas.
Posted on 08-20-2021 01:26 PM
Posted on 06-28-2021 12:35 AM
We faced a similar issues with our M1 Macs.
We have them as Admin during enrollment, and then demote once everything is installed (We run DEPNotify for this), so we dont create an extra "IT Admin" Account.
Users have SecureToken, and config profile as you mentioned above.
Perhaps related. Testing some changes and hopefully this can stop happening.
Posted on 07-14-2021 11:23 AM
how does this alleviate the issue? if i am understanding it anytime an OS update is being applied and only a standard user exists macOS will require the recovery token on reboot?
Posted on 09-14-2021 03:40 AM
I think as mentioned above, a few updates past 11.5 and it hasnt been an issue so far.
I recall mentioning this to Apple and it is something that should be resolved in a future update.
Posted on 08-26-2021 02:14 PM
Seeing this in our environment too. Exactly the scenario described above; Automated enrollment, apple silicon, standard user filevault.
Going to turn of my auto update OS profile for the apple silicon macs, anyone seen if this helps or not?
09-13-2021 09:10 AM - edited 09-14-2021 07:09 AM
It helps, but it's still randomly occurring. Our M1 Airs shipped with 11.3.1 and it's occurred on nearly all of those. Those on later builds(11.5 or later) it's barely been an issue. Only one on 11.5.2 that it happened with was a policy with an MDM restart trigger that caused the key prompt to appear. I've removed that until further notice.
Posted on 09-23-2021 05:24 AM
Hello beautiful people !
So this a a known issue impacting M1 - Apple Silicon computers with :
* Standard user with the only SecureToken
* Automated Device Enrollment with standard user created from the Setup Assistant
* FileVault enable
This "should" be fixed with the release of Monterey. In the meantime you can disable automatic updates but this isn't very effective to be honest.
Posted on 10-04-2021 04:35 PM
We are seeing this issue as well and have been for a few months. We have also been in the process of deploying new M1 laptops to large numbers of users and our help desk gets a number of calls each day about this issue. I just took a look at a number of the assets that have had the issue in the last couple of days and all we running 11.5.2. One was running 11.6. I'm not sure about the theory of it being better on newer OS updates. @florent_bailly How do we know this should be fixed with Monterey ? Our theory is more that this is being triggered after a software update. It seems to be the update mechanism on the M1s, where it needs a secure token and user intervention before it can take place. If we manually update from Software Update, we don't see this problem. This only happens when it is done remotely via MDM.
Posted on 10-05-2021 01:26 AM
I have seen similar things for our M1's. It seemed more of an occurring issue when we hade automatic updates On via config profiles.
Once turned off, it was less frequent, but happened randomly. We moved to an MDM / API solution which seems to run more stable now.
Also had a conversation with Apple and monterey should adress this (hopefully).
Posted on 10-05-2021 01:29 AM
Hey @rcorbin 👋
I'm just quoting Jamf Support Team here. I opened a ticket regarding this, that was their answer.
We cannot be 100% sure it will be resolved with Monterey 😕
Posted on 10-05-2021 10:45 AM
Starting to see the same here. Two on 11.5.2, but it's occurring more frequently on those running 11.3.1 for me. Auto updates is turned off(which makes me fail at two things with the CIS benchmark), I've stopped using MDM to push updates and no longer have restarts in policies.
It's much too random. I don't differ setups between myself, techs, faculty, staff etc and mine was first out of the gate and it's never done it. I've had a dozen more that it never occurred on then I'll have a handful that it happened on at least three times. It's maddening and makes me wonder whether it was the right move to make the user account standard vs admin.
Posted on 12-10-2021 02:44 PM
Did we get to the bottom of this? I've been out of the loop a little while and just came across this on an 11.6 machine, looking at my environment I'd say 1st user created as a standard user is the issue, I personally opted for demotion after the 1st day when I deployed this setup before whereas the setup I have inherited creates standard off the bat and I wonder if this is the issue.
Posted on 12-13-2021 05:43 AM
Since my last post I've had one instance of this after forcing everyone to 11.5 and higher. No instances on 12.0.1 either but I'm not knocking on wood yet as it's been too soon.
I've also modified my pre-stages to create administrator accounts and them demote them using SAPs' privileges app.
Posted on 12-16-2021 07:33 AM
We are still seeing this issue here on 11.6 with automatic updates turned off. Same setup as everyone else here - standard user, FileVault on, M1 MacBook Airs. I haven't seen the issue on Monterey yet, but we have very few devices running it right now.
Posted on 12-16-2021 07:51 AM
I already have about 100 new devices on Monterey in production and no issue yet, and to be clear I didn't change a thing on my environment so maybe it is fixed with macOS 12...
I'll keep you posted.
Posted on 12-17-2021 02:24 PM
I'm seeing this issue across our M1 devices running 12.0.1.
* Admin user with the only SecureToken
* Automated Device Enrollment
* FileVault enable
* Software Update profile to download updates in background
Posted on 12-17-2021 02:38 PM
That's sad to hear @bfreezy I was thinking this was cleared up on Monterey. I had thought with some of the later Big Sur revisions it got better.
Posted on 12-17-2021 03:04 PM
Agreed. I've flipped our Software Update profile to stop downloading updates in the background. Will likely open up a case with Apple if things don't improve.
Posted on 01-09-2022 05:43 PM
This just happened to my wife’s work issued computer. It restarted on its own. Now it’s asking for a recovery key that she NEVER generated, and to her knowledge, no one generated for her. Suffice to say, she has no recovery key. What is the solution?
Posted on 01-14-2022 11:20 AM
Posted on 01-09-2022 10:38 PM
Almost certainly if it’s a work computer it will be encrypted, and she will need to contact her IT dept for it.