Mojave and FileVault from configuration profile

New Contributor II

I have been using configuration profiles to require FV2 and redirect the personal key to the on-prem JAMF Pro server (10.8)
I have not bee able to get this to work in Mojave and while I have found other users on the web having the same problem I haven't found a solution. Is there a new way FV2 with key redirection needs to be done with Mojave?

Thanks in advance.



New Contributor III

We just discovered this same issue today. We have been blocking Mojave installs, but just received a repaired Mac back from Apple that was returned with Mojave installed. When trying to re-add our FileVault config profile (which escrows the recovery key to our on-prem JSS), the profile fails to install (JAMF Pro 10.8).

Anyone else know of a fix?

Contributor II

Have got the same. The escrow does not work at encryption.

However running works and the redirect works.

Looking into it the problem it appears that the /var/db/FileVaultPRK.dat is not made after the FV2 Encryption is finished.

Contributor II

Hi All, This appears to be fixed in 10.14.2

New Contributor II

not yet im having issue with it now. Not being able to configure or run filevault. This is what shows in the log files

Error: A problem occurred while trying to enable FileVault. (-69576)

Contributor II

That’s a different problem. Not the recovery key

New Contributor

Has there been any update on this? I'm working on this now and getting this error:

[WARNING] FileVault key was generated, but escrow cannot be confirmed. Please verify that the redirection profile is installed and the Mac is connected to the internet.


I am having similar issues myself, when testing it worked on 10.11 0 to 10.13.6.

So when testing that method on 10.14.4 the keys are not escrowing in.

Has anyone else had a similar experience

New Contributor III

@k84 - I'm seeing the same behaviour.

Contributor II

Escrow is working fine for me in 10.14.4.

Are these upgrades to 10.14 ? If so try reapplying the escrow profile and see if that helps

New Contributor III
New Contributor III

I know it's obvious but just in case, did you create a new payload for Mojave escrow key under "Security & Privacy"?
if it still doesn't escrow, restart the machine and do recon, It might fix the problem

New Contributor III

you ever create the config profile and test and test and get nowhere, then realize you forgot to add the scope? Asking for a friend.

Honored Contributor

^^^ :)

New Contributor III

Escrowing immediately on 10.14.5 for me. I am, however, seeing a different issue, whereby, after the FileVault config profile is applied to the machine, at the next user logout they successfully put in their password to initiate the encryption, it comes up with a message displaying the recovery key but they can't click the 'Continue' button using the mouse or keyboard of the machine, the mouse cursor doesn't appear. I had to remote to the screen and click it using Apple Remote Desktop.

Anyone else seeing that? Probably just me :(

EDIT: Found this actually only occurs on desktop Macs, whereas it's fine on MacBooks.

New Contributor III

Nope. Happens on MacBooks as well. Just pushed the profile to 2 machines and it did the same thing on both.

New Contributor III

Is happening to me too. I'm working on migrating our FV2 from just a policy to a config profile. Everything looked like it went fine, until that first reboot. FWIW, I was able to force kill the machine and it then continued with the encryption process, and did escrow the key, but that's not an acceptable user experience.

I just opened a support ticket to see if this is a known PI..

Valued Contributor II

I saw the same thing, older iMac grayed out 'Continue' buttons and newer iMac good buttons. I assumed it's a macOS issue.