Jamf Nation Community

trinhthanhthien · a week ago

Hi everyone,
I’m currently reviewing the different methods for syncing Recovery Keys and I’m a bit unclear on the distinction. Could someone help clarify the differences between:

Recovery Key stored via iCloud, and
Recovery Key escrowed to the Jamf Pro Server?

Specifically, I’d like to understand how each method works, the user experience, and any implications for security or recovery workflows.

Thanks in advance for your guidance!

mvu · a week ago

The main difference is the location and access.

Jamf stores the encrypted key on the Jamf Pro server, which is accessible through Jamf. This gives the admin control of the rollout and management of the recovery keys. Also gives the admin audit logs to see who viewed the recovery keys.

iCloud stores the key with Apple, requiring your Apple ID password to retrieve it.

With an MDM, like Jamf, you can roll out FileVault encryption seamlessly at business scale and store the Recovery Keys. Apple iCloud option is more for consumers, 1 to 1, personal solution.

sdagley · a week ago

@trinhthanhthien A @mvu replied for managed Macs escrowing the recovery key in Jamf Pro would be the expected/normal approach. You will also find the Escrow Buddy tool that Netflix developed and makes publicly available will help ensuring you have valid keys escrowed: https://github.com/macadmins/escrow-buddy

howie_isaacks · a week ago

Escrow Buddy works great. I used it to issue new FileVault recovery keys on Macs that did not have their recovery keys escrowed in Jamf Pro. These were Macs that were enrolled after FileVault was activated.