New JSS URL, Updating FileVault Keys

Contributor II

I recently replaced our internal-only Windows Server 2008-based JSS with three Red Hat VM's, two of which are behind a load balancer in our DMZ. As part of this process, I had to change the URL to have a "corp" in it, e.g.:

I have had success re-enrolling our Macs and updating the FileVault keys (institutional and individual) but I have had some inconsistency getting the steps completed in the proper order. So, I am hoping I might get some clarity from the community.

On the new JSS, I re-created the FV configuration exactly as it was on the old JSS, including using the same institutional key. I have a configuration profile (FV key redirect profile) recommended by JAMF for use when individual keys are missing and I have a script (also from JAMF) that is set to run as a later policy (separate from the main FileVault policy) that generates a new individual key and sends it to the JSS.

I think the order is this:

1.) Enroll Mac in the new JSS
2.) Set FV policy to execute at enrollment
3.) Make sure FV redirect profile is in place
4.) Run policy (script from JAMF) to generate new individual key and send it to the JSS
5.) Verify all fields are correctly populated in the Mac record's FV section

Does this sound correct? Most of the time, this works, but sometimes I have to start over or re-run one of the steps.

Has anyone else had success in this scenario? I know it works, but I need to perfect the process before migrating 15,000 Macs to our new JSS.

P.S. - All of our Macs our 10.9.x or 10.10.x. Our future OS X Macs will be enrolled from the start in the new JSS.