Jamf Nation Community

zake · ‎01-30-2019

Hi All,

I'm in the process of moving from JAMF Now to Pro. Currently have around 100 computers on JAMF Now and their FileVault key are store in the JAMF NOW Cloud. How can I migrate those recovery keys to Jamf Pro using profiles/policy script.

I know that i could go on the host computer. Switch off filevault. Remove computer on JAMF Now. Enroll into JAMF Pro and use a policy/script to escrow key to JAMF Pro cloud. But thats very involved.

Is there any other workflows that allow me to be more hands off.

Cayde-6 · ‎01-27-2020

Could you not push out the Config Profile to enable FV2 with escrow and then a policy to reissue the filevault2 key followed by a jamf recon to upload the new key?

View solution in original post

andrew_nicholas · ‎01-30-2019

Might want to speak with your TAM, I wouldn't be surprised if they had an official process for this.

Dan1987 · ‎01-30-2019

I had a similar issue with bringing already FileVaulted machines into Jamf Pro. The only way i could figure out how to get the key into Jamf pro was to turn off FileVault on the machine and catch them with a config profile on next login.

KyleEricson · ‎01-27-2020

You may be able to do this with configuration profiles and policy in Jamf Pro. I have done this for two clients that came from different MDMs. @zake

Read My Blog: https://www.ericsontech.com

Cayde-6 · ‎01-27-2020

Could you not push out the Config Profile to enable FV2 with escrow and then a policy to reissue the filevault2 key followed by a jamf recon to upload the new key?

KyleEricson · ‎01-27-2020

@Cayde-6 Exactly was I was thinking just forgot the terms for this without looking at my clients deployment.

Read My Blog: https://www.ericsontech.com

zake · ‎01-27-2020

Thanks

Jason33 · ‎01-28-2020

So I'm moving about 120 machines that are encrypted on an on-premises Jamf server, to Jamf cloud. Am I correct in thinking that I can leave the machines encrypted, migrate them to the new server, then have a policy to issue a new FileVault recovery key and it should store it in Jamf?

robbo007 · ‎03-17-2021

Hi, I've got the same issue. I have about 100 macs on the site which have filevault enabled. I've just installed Jamf Pro and enrolled all clients to the server. I've setup the first policy to escrow filevault keys to jamf server but the second policy to renew the filevault key fails with this error:

Executing Policy Test Recover Filevault key
Error: Authentication error.

Is this the best way to get the keys to the jamf server from macs with filevault already setup?

robbo007 · ‎03-17-2021

I've also tried this script after deploying the configuration profile to redirect the filevault keys to jamf server.

https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh

It works and forces user to generate the new key but I don't see the new key in Jamf??? Even after running on the client sudo jamf recon to update inventory.

robbo007 · ‎03-17-2021

Right I've got it working. I was missing a payload in my configuration policy. "Enable Escrow Personal Recovery Key (macOS 10.13 or later) " Works perfectly. Sorry for hijacking this thread :)

csanah · ‎05-03-2023

What do you mean by missing Payload in the configuration policy?

Jamf Nation Community

Migrating FileVault Encryption Keys to JAMF Pro