Posted on 10-03-2016 07:42 AM
This is a bit of a problem I've encountered and I'm close to just re-encrypting the machines but thought i'd try here first.
About 30 or so of my OSX devices seem to be missing their individual recovery keys in the JSS, they certainly used to have this info but now are showing as Encrypted, individual key validation is unknown and disk encryption configuration is blank.
My management account is not a filevault user so i can use that and i don't use and institutional key.
I have the key redirection config profile enabled to the jss but generating a new key with fdesetup changerecovery -personal is not posted to the jss.
Any one got some inspiration for me?
Posted on 10-03-2016 11:21 AM
We're using this through Self Service to reissue FileVault 2 keys. It will prompt the user and then attempt to issue a new recovery key, escrowing it in the JSS during the process.
Posted on 10-04-2016 01:22 AM
@merps This looks promising, some validation of keys being escrowed in there too. I'll give a go. Thanks!
Posted on 10-06-2016 03:59 AM
Everything but escrowing the keys worked! returned exit code 1
Posted on 01-02-2018 06:10 AM
I have a question about this post... did anyone discover or address WHY recovery keys, that were in the JSS, were suddenly blank?
We have experienced this very issue when a user had a problem, our tech went to the JSS to get the Key and the field was blank.
We then dug out an archived backup of the JSS from 65 days before, restored it to a new VM, logged in with the local Admin account and... Voila!... the key was there.
So now we are looking at all our computer records to see what other keys are 'missing'.
My co worker was looking at the SQL and found the 'hide key' attribute (in the backup instance)... flipped it and missing keys reappeared.
We haven't dug much deeper into the production instance yet. We need to determine which machines are encrypted but have a 'missing' or 'unknown' key and find and fix this.
What really concerns me is that data that existed in the database at one point is either deleted or hidden.
Why is this happening?
Posted on 01-03-2018 03:19 PM
Any updates? I think we are seeing the same thing: )
Posted on 01-12-2018 12:56 PM
We're seeing the same thing here. When I opened a support ticket with JAMF, they recommended using the script that @merps linked above. It works. However, I found that recovery keys would again become "Unknown" and disappear from the server a few days or weeks later.
Posted on 01-16-2018 11:54 AM
I want to know why they are disappearing... not some script to make them come back if you discover they're gone.
In all the data that is collected and stored by JAMF -- the recovery key, stored is a database, for use if the machine needs unlocking is, arguably the MOST important piece of data in a computer record.
To have it inexplicably disappear is completely unacceptable.
Posted on 01-19-2018 11:43 AM
I found this article while searching around for information on FileVault Redirection. Apple appears to have changed the way redirection works in High Sierra. https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/
Posted on 07-24-2018 12:38 PM
We have been encountering this issue, and found similar instances where the key was marked "deleted" in the mysql DB, but contained data for the key itself. Flipping that deleted status made the correct key available.
Would definitely like to get to the bottom of this.
Posted on 07-26-2018 05:34 AM
@brodjieski having the same issue. even after flipping the deleted status, individual key appears and still shows unknown. a few keys in database read as "empty set," which doesn't allow me to flip the deleted status. been working with support to issue new recovery keys and find the root cause.
Posted on 08-02-2018 04:46 AM
@brodjieski and @ginakung we've been having the same issue. Would you be able to post the mysql commands you're using to verify the status of the key on a specific device (and potentially flip it if incorrect)?
We have also recently found this occurring on machines freshly enabled for FV which seem to have encrypted but have not stored the key in the jss. I have then:
Added a FileVault Recovery Key Redirection config profile to the machines in question
Turned off filevault manually
Turned back on filevault manually, whereby I'm prompted to store the recovery key in the jss
I then do this, and the key appears to store correctly in the machine record in the jss.
I'm curious as to why this is happening as our filevault enabling scripts/policies have not changed recently. The machines in question are older machines and are running 10.12.
Posted on 08-06-2018 12:44 PM
@amosdeane I would definitely open a ticket with support, so they can fix this. this is consistent to what jamf provided me:
Posted on 08-22-2018 03:16 AM
Yes, @ginakung I have now opened one. Will post if I get a solution.
Posted on 11-15-2018 08:34 AM
Has anyone got a solution for filevault 2 showing as not configured under the management tab, i have tried running the script linked in this post and it consistently returns:
Username is not on the list of FileVault enabled users
sudo fdesetup list
and the user im running the script as is in the list of filevault enabled users.
Any suggestions would be great.
Posted on 01-15-2019 04:46 AM
@amosdeane Hey there. Did you end up getting a response from JAMF support? We've just noticed this issue on our instance as well and it's beyond frustrating.
Posted on 01-16-2019 06:09 AM
Hey there @sean.pascua. I opened a ticket but we weren't able to narrow this down to anything specific causing this I'm afraid. I tried the mysql tweak recommended previously here but this didn't help.
Posted on 02-01-2019 04:58 AM
We're having the same issue as well, using Jamf Now (so the cloud version). Created a support case and hopefully they can find the issue.
Posted on 02-26-2019 02:57 PM
We have submitted a ticket as well. This seems to be an ongoing problem. We had this issue back in September right before 10.9 came out. So now it's happening again right before 10.10 is released (cloud). The last time it fixed itself after the upgrade but I would like to see a solution before that gets done because I don't want it happening again when 10.11 comes out.
Posted on 08-01-2019 07:32 AM
Sorry to re HASH an old thread, but has there been a resolution to this issue? We appear to be experiencing the same, and I need to find a solution to re issue a new individual FV2 recovery key and have it escrowed in the JSS. The script referenced above runs cleanly with a return code of 0, but never escrows the key in JAMF.
Posted on 08-05-2019 01:35 PM
We're seeing the same issue. I'd love to hear about a solution too.
Posted on 08-08-2019 04:40 AM
So after reaching out to JAMF support - they suggested the following:
Which I have tested in our environment - and it works.
The only change I made was to publish the policy out to Self Service - to let our users run when they are ready.