What's the best way to reissue new recovery keys for High Sierra laptops already encypted?

PSgduval
New Contributor

Im in the process of moving over to Jamf Pro from Jamf Now (formally Bushel). All of the laptops are encrypted with Jamf Now and their recovery keys escrowed there, but i want to be able to escrow those keys in Jamf Pro. I have having a particularly hard time escrowing reissued keys with 10.13 + laptops and haven't found any solutions online. What's up with that??

Has Jamf created an actual way to do this or has anyone here had luck reissuing keys for laptops running High Sierra?

2 REPLIES 2

steve_summers
Contributor III

@PSgduval I came across a script/workflow that actually works. I'm in the process of getting keys reissued to folks who have a "Not Configured" status on their recovery keys in their computer record. Here is a link to the script I am using:

https://github.com/homebysix/jss-filevault-reissue

I've ran this script with success on both 10.12.x machines and 10.13.x. The script may mention that it hasn't been tested on High Sierra, but it worked for me. I like this workflow for it allows me to pop up a branded message notifying customers about entering in the PW. Just remember to make sure you have the JSS Redirection policy in place on these machines or this script too will error. That was a key learning, so should you decide to use this, setup a redirection policy first and foremost, then work on the policy.

Good luck..!

elliotjordan
Contributor III

Hi! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!