For the policy to work your Jamf management account must have a secure token. In our case, we don't use the management account, but instead have a LAPS account with a secure token, and just have a script to rotate the recovery key.

Hi, Thanks for the reply.
I am not sure we use a Jamf management account, do you know how we can confirm?
I thought Jamf had a certificate that it used to manage the systems.

I pulled this from the docs which make it sound like you can rotate the key if you have an existing PRK escrowed in Jamf, but I don't think it worked when I last tested it:

https://docs.jamf.com/10.29.0/jamf-pro/administrator-guide/Disk_Encryption_Configurations.html

To issue a new personal recovery key to a computer, the computer must have the following:
- macOS 10.9–10.12.x or macOS 10.14 or later
- A “Recovery HD” partition
- FileVault enabled

One of the following two conditions met:
- The management account configured as the enabled FileVault user
- An existing, valid personal recovery key that matches the key stored in Jamf Pro

As for the management account, if you check under Global Management > User-Initiated Enrollment > Platforms > macOS you should see the management account name there.

More information on how the management account is used is here: https://docs.jamf.com/10.29.0/jamf-pro/administrator-guide/User-Initiated_Enrollment_Settings.html

Interesting, I seem to be missing User-Initiated Enrollment but this is great information.
Thanks!