Smart Computer group policy not working- Unknown Filevault Recovery Key

Arno_Weygantt
New Contributor

Hi Community,

I have a issue with unknown filevault recovery key in Jamf. The script does not run or is blocked somewhere.

The smart computer group is :

Script.png

Computername like "***"  (and) filevault2 individual key validation (is) unknown. Has anybody successfully made a script to get the filevault recovery key that works?

 

Thanks,

 

Arno

 

Jamf for joy
5 REPLIES 5

Jack_Turner
New Contributor II

Is this a script? Looks like just a Smart group from the screenshot?

Arno_Weygantt
New Contributor

Hey Jack Turner,

Yes my apologies 😣....

I did a copy of a working script do not have access rights atm need to ask a member of my team.

I think I found the reason of the block maybe.

Script result: VALID password supplied
fdesetup: auth info dictionary path = stdin
fdesetup: use personal recovery key
fdesetup: device path = /
Error: User is not Secure Token enabled.
Error: Unable to unlock or authenticate to FileVault.
Retrieving inventory preferences from https://jss.globalservs.com/...
Finding extension attributes...
Locating applications...
Locating package receipts...
Locating hard drive information...
Locating accounts...
Locating printers...
Gathering application usage information from the JamfDaemon...
Searching path: /Users/dorien.bradt/Applications
Searching path: /System/Applications
Searching path: /Applications
Locating hardware information (macOS 11.5.2)...
Searching path: /Library/Application Support/Microsoft
Submitting data to https://jss.globalservs.com/...
<computer_id>24182</computer_id>

Kind regards,

Arno

Jamf for joy

mojo21221
Contributor II

We use https://github.com/homebysix/jss-filevault-reissue and it works great. Only downside is it requires the user to input their password via a prompt. But that is how apple wants it.... So our work flow is to use the Smart group to show us whose devices need attention and then have a help desk representative reach out to them. Have them run the policy via Self Service (script and an inventory) and poof jamf will now show the new FV2 Key. 

Tested and working on intel, m1, m2 processors Mojave - Monterey.

Arno_Weygantt
New Contributor

Thanks @mojo21221 , I will try out this method.

 

Jamf for joy

elliotjordan
Contributor III

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!