Jamf Nation Community

Hi @Espaay ,
thanks for your reply.
In Jamf Pro, going to computer inventory > Disk Encryption under "Institutional Recovery Key Status" it says "Present", I don't see any field where I can get that value.
Furthermore, can you please better explain the step between "turn on" and "select recovery key"?

Thanks a lot

Decryption using an institutional recovery key is not a trivial process. You can download the institutional recovery key from the computer inventory record in Jamf - Disk Encryption > Institutional Recovery Key.

https://derflounder.wordpress.com/2014/08/13/filevault-2-institutional-recovery-keys-creation-deployment-and-use/

Using individual recovery keys is a much more valid and common approach and you should look into having that enabled and working before worrying about Institutional Recovery Keys.

https://www.jamf.com/resources/technical-papers/administering-filevault-on-macos-10-14-or-later-with-jamf-pro/

Hi @oliverr , why do you think I should proceed with individual instead of institutional?
I mean, is there any specific reason I am missing?

I'm still testing FileVault so before deploying the configurations I wanna be sure that the solution is safe and easy to manage both for us as technicians and end-users

You can escrow individual recovery keys directly to your Jamf Server - you can then view the key in the web interface and if required supply that to your end users. This is far easier than having to work with an institutional key each time you need to decrypt a machine or resolve a password issue.

Institutional keys are also inherently less secure as if the key is ever compromised you have to create a new one.

You can also combo individual and institutional keys in a single disk encryption configuration if required.

Each has their place - but individual keys are more secure and easier to manage.

Thank you - I will definetely move to individual key if so.