Skip to main content
Solved

Unable to Generate New FV Recovery Key using Reissue Script Error: User could not be authenticated.)

N
Forum|alt.badge.img+4

We've successfully deployed the reissue FileVault key script in our environment to send FV recovery keys to Jamf Pro to 99% of the Macs in our fleet. However, we have one Mac whose user is unable to send the key to Jamf Pro due to the following error: Error: User could not be authenticated. Error: Unable to unlock or authenticate to FileVault.

To be sure, the user is using his Mac password to unlock System Settings, unlock FileVault at login, etc. But it's unable to generate a new FV key. 

Any suggestions on how to troubleshoot this sort of thing? I would prefer to avoid having to wipe/reinstall the OS unless it's the only option.

 

Best answer by daniel_behan

This script was updated last year and seems to work with macOS Ventura now.

View original
    Did this topic help you find an answer to your question?

    13 replies

    junjishimazaki
    Forum|alt.badge.img+10

    Are you using a configuration profile to escrow the FV key?

    N
    Forum|alt.badge.img+4
    • noobody
    • Author
    • Contributor
    • 13 replies
    • February 6, 2023
    junjishimazaki wrote:

    Are you using a configuration profile to escrow the FV key?


    Yes, that's right. 

    junjishimazaki
    Forum|alt.badge.img+10
    noobody wrote:

    Yes, that's right. 


    Then, what I would do next is remove computer from that FV configuration profile scope. Disable FV on that mac, and let it decrypt. Once the decryption completes. Scope that computer back to the FV configuration profile, then re-enable FV, select that option to escrow to your Jamf instance. Then run sudo jamf recon. 

    N
    Forum|alt.badge.img+4
    • noobody
    • Author
    • Contributor
    • 13 replies
    • February 6, 2023
    junjishimazaki wrote:

    Then, what I would do next is remove computer from that FV configuration profile scope. Disable FV on that mac, and let it decrypt. Once the decryption completes. Scope that computer back to the FV configuration profile, then re-enable FV, select that option to escrow to your Jamf instance. Then run sudo jamf recon. 


    Thanks! I'll give this a shot and report back.

    junjishimazaki
    Forum|alt.badge.img+10
    noobody wrote:

    Thanks! I'll give this a shot and report back.


    Just curious, does your reissue FV key script uses the command: sudo fdesetup changerecovery -personal

    N
    Forum|alt.badge.img+4
    • noobody
    • Author
    • Contributor
    • 13 replies
    • February 6, 2023
    junjishimazaki wrote:

    Just curious, does your reissue FV key script uses the command: sudo fdesetup changerecovery -personal


    Indeed it does. This is the script we use. It has worked well on all but one Mac affected by the lost FV key issue (in inventory record) in our environment: 

    #!/bin/bash #################################################################################################### # # Copyright (c) 2017, JAMF Software, LLC. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the JAMF Software, LLC nor the # names of its contributors may be used to endorse or promote products # derived from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #################################################################################################### # # Description # # The purpose of this script is to allow a new individual recovery key to be issued # if the current key is invalid and the management account is not enabled for FV2, # or if the machine was encrypted outside of the JSS. # # First put a configuration profile for FV2 recovery key redirection in place. # Ensure keys are being redirected to your JSS. # # This script will prompt the user for their password so a new FV2 individual # recovery key can be issued and redirected to the JSS. # #################################################################################################### # # HISTORY # # -Created by Sam Fortuna on Sept. 5, 2014 # -Updated by Sam Fortuna on Nov. 18, 2014 # -Added support for 10.10 # -Updated by Sam Fortuna on June 23, 2015 # -Properly escapes special characters in user passwords # -Updated by Bram Cohen on May 27, 2016 # -Pipe FV key and password to /dev/null # -Updated by Jordan Wisniewski on Dec 5, 2016 # -Removed quotes for 'send {${userPass}} ' so # passwords with spaces work. # -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017 # - Fixed an issue with usernames that contain # sub-string matches of each other. # -Updated by Bram Cohen on Jan 3, 2018 # - 10.13 adds a new prompt for username before password in changerecovery # -Updated by Matt Boyle on July 6, 2018 # - Error handeling, custom Window Lables, Messages and FV2 Icon # -Updated by David Raabe on July 26, 2018 # - Added Custom Branding to pop up windows # -Updated by Sebastien Del Saz Alvarez on January 22, 2021 # -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur #################################################################################################### # # Parameter 4 = Set organization name in pop up window # Parameter 5 = Failed Attempts until Stop # Parameter 6 = Custom text for contact information. # Parameter 7 = Custom Branding - Defaults to Self Service Icon #Customizing Window selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns" fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" if [ ! -z "$4" ] then orgName="$4 -" fi if [ ! -z "$6" ] then haltMsg="$6" else haltMsg="Please Contact IT for Further assistance." fi if [[ ! -z "$7" ]]; then brandIcon="$7" elif [[ -f $selfServiceBrandIcon ]]; then brandIcon=$selfServiceBrandIcon elif [[ -f $jamfBrandIcon ]]; then brandIcon=$jamfBrandIcon else brandIcon=$fileVaultIcon fi ## Get the logged in user's name userName=$(/usr/bin/stat -f%Su /dev/console) ## Grab the UUID of the User userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}') ## Get the OS build BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}` ## This first user check sees if the logged in account is already authorized with FileVault 2 userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'` if [ "${userCheck}" != "${userName}" ]; then echo "This user is not a FileVault 2 enabled user." exit 3 fi ## Counter for Attempts try=0 if [ ! -z "$5" ] then maxTry=$5 else maxTry=2 fi ## Check to see if the encryption process is complete encryptCheck=`fdesetup status` statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") expectedStatus="FileVault is On." if [ "${statusCheck}" != "${expectedStatus}" ]; then echo "The encryption process has not completed." echo "${encryptCheck}" exit 4 fi passwordPrompt () { ## Get the logged in user's password via a prompt echo "Prompting ${userName} for their login password." userPass=$(/usr/bin/osascript -e " on run display dialog \\"To generate a new FileVault key\\" & return & \\"Enter login password for '$userName'\\" default answer \\"\\" with title \\"$orgName FileVault Key Reset\\" buttons {\\"Cancel\\", \\"Ok\\"} default button 2 with icon POSIX file \\"$brandIcon\\" with text and hidden answer set userPass to text returned of the result return userPass end run") if [ "$?" == "1" ] then echo "User Canceled" exit 0 fi try=$((try+1)) if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \\"Enter a password for '/', or the recovery key:\\" send {${userPass}} send \\r log_user 1 expect eof " >> /dev/null) elif [[ $BUILD -ge 17 ]]; then result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \\"Enter the user name:\\" send {${userName}} send \\r expect \\"Enter a password for '/', or the recovery key:\\" send {${userPass}} send \\r log_user 1 expect eof ") else echo "OS version not 10.9+ or OS version unrecognized" echo "$(/usr/bin/sw_vers -productVersion)" exit 5 fi } successAlert () { /usr/bin/osascript -e " on run display dialog \\"\\" & return & \\"Your FileVault Key was successfully Changed\\" with title \\"$orgName FileVault Key Reset\\" buttons {\\"Close\\"} default button 1 with icon POSIX file \\"$brandIcon\\" end run" } errorAlert () { /usr/bin/osascript -e " on run display dialog \\"FileVault Key not Changed\\" & return & \\"$result\\" buttons {\\"Cancel\\", \\"Try Again\\"} default button 2 with title \\"$orgName FileVault Key Reset\\" with icon POSIX file \\"$brandIcon\\" end run" if [ "$?" == "1" ] then echo "User Canceled" exit 0 else try=$(($try+1)) fi } haltAlert () { /usr/bin/osascript -e " on run display dialog \\"FileVault Key not changed\\" & return & \\"$haltMsg\\" buttons {\\"Close\\"} default button 1 with title \\"$orgName FileVault Key Reset\\" with icon POSIX file \\"$brandIcon\\" end run " } while true do passwordPrompt if [[ $result = *"Error"* ]] then echo "Error Changing Key" if [ $try -ge $maxTry ] then haltAlert echo "Quitting.. Too Many failures" exit 0 else echo $result errorAlert fi else echo "Successfully Changed FV2 Key" successAlert exit 0 fi done

     

    junjishimazaki
    Forum|alt.badge.img+10
    noobody wrote:

    Indeed it does. This is the script we use. It has worked well on all but one Mac affected by the lost FV key issue (in inventory record) in our environment: 

    #!/bin/bash #################################################################################################### # # Copyright (c) 2017, JAMF Software, LLC. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the JAMF Software, LLC nor the # names of its contributors may be used to endorse or promote products # derived from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #################################################################################################### # # Description # # The purpose of this script is to allow a new individual recovery key to be issued # if the current key is invalid and the management account is not enabled for FV2, # or if the machine was encrypted outside of the JSS. # # First put a configuration profile for FV2 recovery key redirection in place. # Ensure keys are being redirected to your JSS. # # This script will prompt the user for their password so a new FV2 individual # recovery key can be issued and redirected to the JSS. # #################################################################################################### # # HISTORY # # -Created by Sam Fortuna on Sept. 5, 2014 # -Updated by Sam Fortuna on Nov. 18, 2014 # -Added support for 10.10 # -Updated by Sam Fortuna on June 23, 2015 # -Properly escapes special characters in user passwords # -Updated by Bram Cohen on May 27, 2016 # -Pipe FV key and password to /dev/null # -Updated by Jordan Wisniewski on Dec 5, 2016 # -Removed quotes for 'send {${userPass}} ' so # passwords with spaces work. # -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017 # - Fixed an issue with usernames that contain # sub-string matches of each other. # -Updated by Bram Cohen on Jan 3, 2018 # - 10.13 adds a new prompt for username before password in changerecovery # -Updated by Matt Boyle on July 6, 2018 # - Error handeling, custom Window Lables, Messages and FV2 Icon # -Updated by David Raabe on July 26, 2018 # - Added Custom Branding to pop up windows # -Updated by Sebastien Del Saz Alvarez on January 22, 2021 # -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur #################################################################################################### # # Parameter 4 = Set organization name in pop up window # Parameter 5 = Failed Attempts until Stop # Parameter 6 = Custom text for contact information. # Parameter 7 = Custom Branding - Defaults to Self Service Icon #Customizing Window selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns" fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" if [ ! -z "$4" ] then orgName="$4 -" fi if [ ! -z "$6" ] then haltMsg="$6" else haltMsg="Please Contact IT for Further assistance." fi if [[ ! -z "$7" ]]; then brandIcon="$7" elif [[ -f $selfServiceBrandIcon ]]; then brandIcon=$selfServiceBrandIcon elif [[ -f $jamfBrandIcon ]]; then brandIcon=$jamfBrandIcon else brandIcon=$fileVaultIcon fi ## Get the logged in user's name userName=$(/usr/bin/stat -f%Su /dev/console) ## Grab the UUID of the User userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}') ## Get the OS build BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}` ## This first user check sees if the logged in account is already authorized with FileVault 2 userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'` if [ "${userCheck}" != "${userName}" ]; then echo "This user is not a FileVault 2 enabled user." exit 3 fi ## Counter for Attempts try=0 if [ ! -z "$5" ] then maxTry=$5 else maxTry=2 fi ## Check to see if the encryption process is complete encryptCheck=`fdesetup status` statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") expectedStatus="FileVault is On." if [ "${statusCheck}" != "${expectedStatus}" ]; then echo "The encryption process has not completed." echo "${encryptCheck}" exit 4 fi passwordPrompt () { ## Get the logged in user's password via a prompt echo "Prompting ${userName} for their login password." userPass=$(/usr/bin/osascript -e " on run display dialog \\"To generate a new FileVault key\\" & return & \\"Enter login password for '$userName'\\" default answer \\"\\" with title \\"$orgName FileVault Key Reset\\" buttons {\\"Cancel\\", \\"Ok\\"} default button 2 with icon POSIX file \\"$brandIcon\\" with text and hidden answer set userPass to text returned of the result return userPass end run") if [ "$?" == "1" ] then echo "User Canceled" exit 0 fi try=$((try+1)) if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \\"Enter a password for '/', or the recovery key:\\" send {${userPass}} send \\r log_user 1 expect eof " >> /dev/null) elif [[ $BUILD -ge 17 ]]; then result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \\"Enter the user name:\\" send {${userName}} send \\r expect \\"Enter a password for '/', or the recovery key:\\" send {${userPass}} send \\r log_user 1 expect eof ") else echo "OS version not 10.9+ or OS version unrecognized" echo "$(/usr/bin/sw_vers -productVersion)" exit 5 fi } successAlert () { /usr/bin/osascript -e " on run display dialog \\"\\" & return & \\"Your FileVault Key was successfully Changed\\" with title \\"$orgName FileVault Key Reset\\" buttons {\\"Close\\"} default button 1 with icon POSIX file \\"$brandIcon\\" end run" } errorAlert () { /usr/bin/osascript -e " on run display dialog \\"FileVault Key not Changed\\" & return & \\"$result\\" buttons {\\"Cancel\\", \\"Try Again\\"} default button 2 with title \\"$orgName FileVault Key Reset\\" with icon POSIX file \\"$brandIcon\\" end run" if [ "$?" == "1" ] then echo "User Canceled" exit 0 else try=$(($try+1)) fi } haltAlert () { /usr/bin/osascript -e " on run display dialog \\"FileVault Key not changed\\" & return & \\"$haltMsg\\" buttons {\\"Close\\"} default button 1 with title \\"$orgName FileVault Key Reset\\" with icon POSIX file \\"$brandIcon\\" end run " } while true do passwordPrompt if [[ $result = *"Error"* ]] then echo "Error Changing Key" if [ $try -ge $maxTry ] then haltAlert echo "Quitting.. Too Many failures" exit 0 else echo $result errorAlert fi else echo "Successfully Changed FV2 Key" successAlert exit 0 fi done

     


    The only way this works properly is that the user has secure token enabled.

    N
    Forum|alt.badge.img+4
    • noobody
    • Author
    • Contributor
    • 13 replies
    • February 6, 2023
    junjishimazaki wrote:

    The only way this works properly is that the user has secure token enabled.


    Yes, I've confirmed that the user does have a secure token enabled on their local account.

    junjishimazaki
    Forum|alt.badge.img+10

    What OS is that mac on?

    N
    Forum|alt.badge.img+4
    • noobody
    • Author
    • Contributor
    • 13 replies
    • February 6, 2023
    junjishimazaki wrote:

    What OS is that mac on?


    macOS Ventura 13.1

    D
    Forum|alt.badge.img+11
    • daniel_behan
    • Valued Contributor
    • 194 replies
    • Answer
    • February 6, 2023

    This script was updated last year and seems to work with macOS Ventura now.

    N
    1 person likes this
    • N
      noobody
    N
    Forum|alt.badge.img+4
    • noobody
    • Author
    • Contributor
    • 13 replies
    • February 9, 2023
    daniel_behan wrote:

    This script was updated last year and seems to work with macOS Ventura now.


    Thanks! Using this updated script was all that was needed.

    aledesma
    Forum|alt.badge.img+1
    • aledesma
    • New Contributor
    • 8 replies
    • September 12, 2023
    noobody wrote:

    Thanks! Using this updated script was all that was needed.


    Were there any additional steps you had to do for this to get done?

    e.g. Have user turn off filevault first, or remove them from a particular FileVault profile? 
    Can you please share detailed steps. We are experiencing a similar issue for 3 users. Thanks

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings