Jamf Nation Community

@merps This looks promising, some validation of keys being escrowed in there too. I'll give a go. Thanks!

Everything but escrowing the keys worked! returned exit code 1

I have a question about this post... did anyone discover or address WHY recovery keys, that were in the JSS, were suddenly blank?

We have experienced this very issue when a user had a problem, our tech went to the JSS to get the Key and the field was blank.
We then dug out an archived backup of the JSS from 65 days before, restored it to a new VM, logged in with the local Admin account and... Voila!... the key was there.

So now we are looking at all our computer records to see what other keys are 'missing'.
My co worker was looking at the SQL and found the 'hide key' attribute (in the backup instance)... flipped it and missing keys reappeared.

We haven't dug much deeper into the production instance yet. We need to determine which machines are encrypted but have a 'missing' or 'unknown' key and find and fix this.

What really concerns me is that data that existed in the database at one point is either deleted or hidden.

Why is this happening?

Any updates? I think we are seeing the same thing: )

C

We're seeing the same thing here. When I opened a support ticket with JAMF, they recommended using the script that @merps linked above. It works. However, I found that recovery keys would again become "Unknown" and disappear from the server a few days or weeks later.

I want to know why they are disappearing... not some script to make them come back if you discover they're gone.

In all the data that is collected and stored by JAMF -- the recovery key, stored is a database, for use if the machine needs unlocking is, arguably the MOST important piece of data in a computer record.

To have it inexplicably disappear is completely unacceptable.

I found this article while searching around for information on FileVault Redirection. Apple appears to have changed the way redirection works in High Sierra. https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/

We have been encountering this issue, and found similar instances where the key was marked "deleted" in the mysql DB, but contained data for the key itself. Flipping that deleted status made the correct key available.

Would definitely like to get to the bottom of this.

@brodjieski having the same issue. even after flipping the deleted status, individual key appears and still shows unknown. a few keys in database read as "empty set," which doesn't allow me to flip the deleted status. been working with support to issue new recovery keys and find the root cause.

@brodjieski and @ginakung we've been having the same issue. Would you be able to post the mysql commands you're using to verify the status of the key on a specific device (and potentially flip it if incorrect)?

We have also recently found this occurring on machines freshly enabled for FV which seem to have encrypted but have not stored the key in the jss. I have then:

Added a FileVault Recovery Key Redirection config profile to the machines in question

Turned off filevault manually

Turned back on filevault manually, whereby I'm prompted to store the recovery key in the jss

I then do this, and the key appears to store correctly in the machine record in the jss.

I'm curious as to why this is happening as our filevault enabling scripts/policies have not changed recently. The machines in question are older machines and are running 10.12.

@amosdeane I would definitely open a ticket with support, so they can fix this. this is consistent to what jamf provided me:

https://www.jamf.com/jamf-nation/discussions/27635/potential-cause-and-solution-for-missing-filevault-keys

Yes, @ginakung I have now opened one. Will post if I get a solution.

Has anyone got a solution for filevault 2 showing as not configured under the management tab, i have tried running the script linked in this post and it consistently returns:

Username is not on the list of FileVault enabled users

i ran

sudo fdesetup list

and the user im running the script as is in the list of filevault enabled users.

Any suggestions would be great.

@amosdeane Hey there. Did you end up getting a response from JAMF support? We've just noticed this issue on our instance as well and it's beyond frustrating.

Hey there @sean.pascua. I opened a ticket but we weren't able to narrow this down to anything specific causing this I'm afraid. I tried the mysql tweak recommended previously here but this didn't help.

We're having the same issue as well, using Jamf Now (so the cloud version). Created a support case and hopefully they can find the issue.

We have submitted a ticket as well. This seems to be an ongoing problem. We had this issue back in September right before 10.9 came out. So now it's happening again right before 10.10 is released (cloud). The last time it fixed itself after the upgrade but I would like to see a solution before that gets done because I don't want it happening again when 10.11 comes out.

Sorry to re HASH an old thread, but has there been a resolution to this issue? We appear to be experiencing the same, and I need to find a solution to re issue a new individual FV2 recovery key and have it escrowed in the JSS. The script referenced above runs cleanly with a return code of 0, but never escrows the key in JAMF.

Thanks,
Brian

Hi Brian,

We're seeing the same issue. I'd love to hear about a solution too.

So after reaching out to JAMF support - they suggested the following:

https://hcsonline.com/images/PDFs/Jamf_Recovery_key_Filevault.pdf

Which I have tested in our environment - and it works.

The only change I made was to publish the policy out to Self Service - to let our users run when they are ready.