Migrating FileVault Encryption Keys to JAMF Pro

zake
New Contributor III

Hi All,

I'm in the process of moving from JAMF Now to Pro. Currently have around 100 computers on JAMF Now and their FileVault key are store in the JAMF NOW Cloud. How can I migrate those recovery keys to Jamf Pro using profiles/policy script.

I know that i could go on the host computer. Switch off filevault. Remove computer on JAMF Now. Enroll into JAMF Pro and use a policy/script to escrow key to JAMF Pro cloud. But thats very involved.

Is there any other workflows that allow me to be more hands off.

1 ACCEPTED SOLUTION

Cayde-6
Release Candidate Programs Tester

Could you not push out the Config Profile to enable FV2 with escrow and then a policy to reissue the filevault2 key followed by a jamf recon to upload the new key?

View solution in original post

11 REPLIES 11

andrew_nicholas
Valued Contributor

Might want to speak with your TAM, I wouldn't be surprised if they had an official process for this.

Dan1987
New Contributor III

I had a similar issue with bringing already FileVaulted machines into Jamf Pro. The only way i could figure out how to get the key into Jamf pro was to turn off FileVault on the machine and catch them with a config profile on next login.

KyleEricson
Valued Contributor II

You may be able to do this with configuration profiles and policy in Jamf Pro. I have done this for two clients that came from different MDMs. @zake

Read My Blog: https://www.ericsontech.com

Cayde-6
Release Candidate Programs Tester

Could you not push out the Config Profile to enable FV2 with escrow and then a policy to reissue the filevault2 key followed by a jamf recon to upload the new key?

KyleEricson
Valued Contributor II

@Cayde-6 Exactly was I was thinking just forgot the terms for this without looking at my clients deployment.

Read My Blog: https://www.ericsontech.com

zake
New Contributor III

Thanks

Jason33
Contributor III

So I'm moving about 120 machines that are encrypted on an on-premises Jamf server, to Jamf cloud. Am I correct in thinking that I can leave the machines encrypted, migrate them to the new server, then have a policy to issue a new FileVault recovery key and it should store it in Jamf?

robbo007
New Contributor III

Hi, I've got the same issue. I have about 100 macs on the site which have filevault enabled. I've just installed Jamf Pro and enrolled all clients to the server. I've setup the first policy to escrow filevault keys to jamf server but the second policy to renew the filevault key fails with this error:

Executing Policy Test Recover Filevault key
Error: Authentication error.

Is this the best way to get the keys to the jamf server from macs with filevault already setup?

robbo007
New Contributor III

I've also tried this script after deploying the configuration profile to redirect the filevault keys to jamf server.

https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh

It works and forces user to generate the new key but I don't see the new key in Jamf??? Even after running on the client sudo jamf recon to update inventory.

robbo007
New Contributor III

Right I've got it working. I was missing a payload in my configuration policy. "Enable Escrow Personal Recovery Key (macOS 10.13 or later) " Works perfectly. Sorry for hijacking this thread :)

What do you mean by missing Payload in the configuration policy?