Skip to main content

Hi All,



I'm in the process of moving from JAMF Now to Pro. Currently have around 100 computers on JAMF Now and their FileVault key are store in the JAMF NOW Cloud. How can I migrate those recovery keys to Jamf Pro using profiles/policy script.



I know that i could go on the host computer. Switch off filevault. Remove computer on JAMF Now. Enroll into JAMF Pro and use a policy/script to escrow key to JAMF Pro cloud. But thats very involved.



Is there any other workflows that allow me to be more hands off.

Might want to speak with your TAM, I wouldn't be surprised if they had an official process for this.

I had a similar issue with bringing already FileVaulted machines into Jamf Pro.
The only way i could figure out how to get the key into Jamf pro was to turn off FileVault on the machine and catch them with a config profile on next login.

You may be able to do this with configuration profiles and policy in Jamf Pro. I have done this for two clients that came from different MDMs. @zake

Could you not push out the Config Profile to enable FV2 with escrow and then a policy to reissue the filevault2 key followed by a jamf recon to upload the new key?

@Cayde-6 Exactly was I was thinking just forgot the terms for this without looking at my clients deployment.

Thanks

So I'm moving about 120 machines that are encrypted on an on-premises Jamf server, to Jamf cloud. Am I correct in thinking that I can leave the machines encrypted, migrate them to the new server, then have a policy to issue a new FileVault recovery key and it should store it in Jamf?

Hi, I've got the same issue. I have about 100 macs on the site which have filevault enabled. I've just installed Jamf Pro and enrolled all clients to the server. I've setup the first policy to escrow filevault keys to jamf server but the second policy to renew the filevault key fails with this error:



Executing Policy Test Recover Filevault key
Error: Authentication error.



Is this the best way to get the keys to the jamf server from macs with filevault already setup?

I've also tried this script after deploying the configuration profile to redirect the filevault keys to jamf server.



https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh



It works and forces user to generate the new key but I don't see the new key in Jamf??? Even after running on the client sudo jamf recon to update inventory.

Right I've got it working. I was missing a payload in my configuration policy. "Enable Escrow Personal Recovery Key (macOS 10.13 or later) " Works perfectly. Sorry for hijacking this thread :)

Right I've got it working. I was missing a payload in my configuration policy. "Enable Escrow Personal Recovery Key (macOS 10.13 or later) " Works perfectly. Sorry for hijacking this thread :)



What do you mean by missing Payload in the configuration policy?

Reply


Terms & ConditionsCookie settings