Help

No Filevault Key after enabling and disabling Pre-Casper Suite

InsigniamLLC
New Contributor

Posted on ‎05-14-2015 11:59 AM

Hi all, just completed our jump start and getting into JAMF.

We setup a self service policy for enabling Filevault on a machine, and ran this policy. JAMF reports it successfull, the computer went through the process and encrypted the drive.

At the end of the process, and after several restarted and check ins, we do not have an encryption key in JAMF.

We did this yesterday and the policy functioned as it should.

The only different from this machine to the one that it worked on, was that we turned on filevault before enrolling the computer, we then disabled filevault, restarted the computer, and ran the filevault policy from self service, hoping we would now have the encryption key inside JAMF, but we don't

Troubleshooting tips on what we're missing?

0 Kudos
Reply
4 REPLIES 4

davidacland
Honored Contributor II

Posted on ‎05-14-2015 12:10 PM

I haven't tried it personally but the first thing I would check is whether the key is the same both times the drive is encrypted. It might be an extra fdesetup command needs to be run as it sounds like it can only send the key to the the JSS on the first go.

On a Mac you have encrypted and then decrypted, have a look at fdesetup and these options specifically to see what you get:

removerecovery (removes the current recovery key)
haspersonalrecoverykey (returns the string "true" if FileVault contains a personal recovery key)
hasinstitutionalrecoverykey (returns the string "true" if FileVault contains an institutional recovery key)
usingrecoverykey (returns the string "true" if FileVault is currently unlocked using the personal recovery key)
0 Kudos
Reply

bentoms
Release Candidate Programs Tester

Posted on ‎05-15-2015 02:21 AM

@InsigniamLLC can you try with a Mac that's not been encrypted & see if the results differ?

0 Kudos
Reply

InsigniamLLC
New Contributor

Posted on ‎06-01-2015 01:12 PM

the results do not differ at all. I tried using this policy on a Mac that was brand new out of the box - it verifies that file vault is enabled, but it does not provide the actual recovery key.

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎06-01-2015 08:34 PM

@InsigniamLLC Have you verified that the Macs have submitted new inventory to the JSS after FileVault was enabled and the Mac rebooted? I know you mentioned they have "checked in", but what about an actual inventory submission? The Recovery keys only get pulled into the JSS computer record when they upload inventory since the key gets written into an xml file stored on disk that the recon process sees and pulls in.

0 Kudos
Reply