Best fix is this.. for the FileVault oddness.. escrow-buddy
if thats overkill, I used to just re-issue a FV key via policy - Disk Encryption - Issue New Recovery Key.. and for the most that worked.. scoped to a smart group..
Best fix is this.. for the FileVault oddness.. escrow-buddy
if thats overkill, I used to just re-issue a FV key via policy - Disk Encryption - Issue New Recovery Key.. and for the most that worked.. scoped to a smart group..
Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.
Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.
obviously test.. but its very simple.. if your using the normal FileVault config profile.. install the binary.. add the smart groups, policies and extension attributes and.. it just works..
Thanks for the suggestion! I did look into this and it mentioned I have to push the keys using the FDERecoveryKey Escrow. Currently we are using a certificate to escrow; so I am not sure if I would have to re-do every recovery key in the environment if I switch the process.
I can attest to the fact that Escrow Buddy works amazingly well. I recently started using it, and it's been great for wrangling in those handful of machines that end up in a weird encryption state to get a valid key escrowed into Jamf.
One thing that's important to understand about its use is that it only works after the user logs out / logs in, after it's been deployed and the command set to capture a new key. And obviously you have to have FV2 key escrow set in a profile on your Macs from Jamf, so it knows to send the newly generated key back to the Jamf Pro console.
But if you have that all in place, it works well, and doesn't require direct user input or nagging (they just have to log into their Mac at some point). I only mention that point about log out/log in, because we all know some Mac users almost never reboot their Macs or even log out of their accounts unless they are forced to. So it's just something to consider when using it.
obviously test.. but its very simple.. if your using the normal FileVault config profile.. install the binary.. add the smart groups, policies and extension attributes and.. it just works..
Great, I will give Escrow Buddy a shot. Thank you!
I can attest to the fact that Escrow Buddy works amazingly well. I recently started using it, and it's been great for wrangling in those handful of machines that end up in a weird encryption state to get a valid key escrowed into Jamf.
One thing that's important to understand about its use is that it only works after the user logs out / logs in, after it's been deployed and the command set to capture a new key. And obviously you have to have FV2 key escrow set in a profile on your Macs from Jamf, so it knows to send the newly generated key back to the Jamf Pro console.
But if you have that all in place, it works well, and doesn't require direct user input or nagging (they just have to log into their Mac at some point). I only mention that point about log out/log in, because we all know some Mac users almost never reboot their Macs or even log out of their accounts unless they are forced to. So it's just something to consider when using it.
Thank you for all of the information, I will give it a shot. Thanks!
