Reissuing FileVault keys Issue

BigToeKnee810
New Contributor II

So I am using the Reissuing FileVault keys with the Casper Suite. Followed this to the T (except the DMG for the ICONS). I am getting the follwoing error:

Executing Policy Reissue invalid or missing FileVault recovery key
Downloading AppleCustomScriptIcon.pkg...
Downloading 

Verifying package integrity...
Installing AppleCustomScriptIcon.pkg...
Successfully installed AppleCustomScriptIcon.pkg.
Running script reissue filevault recovery key...
Script exit code: 0
Script result: Alerting user USER about incoming password prompt...
Prompting USER for their Mac password...
Successfully prompted for Mac password.
Issuing new recovery key...
**[WARNING] FileVault key was generated, but escrow did not occur.
Adding personal recovery key.**

Submitting log to https://comapny.jamfcloud.com/

Any ideas why the escrow doesn't occur? And not getting the key uploaded to my JSS?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Hi @BigToeKnee810 (interesting screen name) I haven't used the script myself, but, just curious if you've set up a Config Profile for these Macs to have FileVault Recovery Key redirection? Its toward the bottom of the payloads list when setting up a Config Profile. See image below

de91c62e6dab4944a4989c7af76a6f37

You need to set it to the following option:

d50f362b07484935844a37522b6cd93b

I'm pretty sure that is a requirement to have any new keys redirected and escrowed back to the JSS, but again, I haven't really looked at the script created by homebysix to know for sure. Maybe I'm wrong, but I'd at least check into that avenue, assuming you don't already have that profile setting in place.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

Hi @BigToeKnee810 (interesting screen name) I haven't used the script myself, but, just curious if you've set up a Config Profile for these Macs to have FileVault Recovery Key redirection? Its toward the bottom of the payloads list when setting up a Config Profile. See image below

de91c62e6dab4944a4989c7af76a6f37

You need to set it to the following option:

d50f362b07484935844a37522b6cd93b

I'm pretty sure that is a requirement to have any new keys redirected and escrowed back to the JSS, but again, I haven't really looked at the script created by homebysix to know for sure. Maybe I'm wrong, but I'd at least check into that avenue, assuming you don't already have that profile setting in place.

perrycj
Contributor III

@BigToeKnee810 Yes, what @mm2270 says is correct... you have to have that configuration profile set up like he mentioned in order for it to work and redirect the Keys back to the JSS. Otherwise, it will just fail.

perrycj
Contributor III

@BigToeKnee810 Yes, what @mm2270 says is correct... you have to have that configuration profile set up like he mentioned in order for it to work and redirect the Keys back to the JSS. Otherwise, it will just fail.

BigToeKnee810
New Contributor II

Yep that is currently enabled.

679b729223e24d0a9f66cbd171cfa514

BigToeKnee810
New Contributor II

Weird. It's working this morning, just tried out of curiosity.

m3ir
New Contributor III

Hi @BigToeKnee810 What os do you running it on ? I've been trying running it on latest sierra , but after the first "Next" , I get no password to type . just an error of 5 attempts .
did you change anything in the script before running it?

Script exit code: 1 Script result: /Library/Application Support/JAMF/tmp/reissue_filevault_recovery_key: line 1: ill: command not found Alerting user perfecto about incoming password prompt... Prompting perfecto for their Mac password... Prompting perfecto for their Mac password (attempt 2)... Prompting perfecto for their Mac password (attempt 3)... Prompting perfecto for their Mac password (attempt 4)... Prompting perfecto for their Mac password (attempt 5)... [ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message... Error running script: return code was 1.

Regards ,