Unable to Generate New FV Recovery Key using Reissue Script Error: User could not be authenticated.)

noobody
New Contributor III

We've successfully deployed the reissue FileVault key script in our environment to send FV recovery keys to Jamf Pro to 99% of the Macs in our fleet. However, we have one Mac whose user is unable to send the key to Jamf Pro due to the following error: Error: User could not be authenticated. Error: Unable to unlock or authenticate to FileVault.

To be sure, the user is using his Mac password to unlock System Settings, unlock FileVault at login, etc. But it's unable to generate a new FV key. 

Any suggestions on how to troubleshoot this sort of thing? I would prefer to avoid having to wipe/reinstall the OS unless it's the only option.

noobody_0-1675698996255.png

 

1 ACCEPTED SOLUTION

daniel_behan
Contributor III

This script was updated last year and seems to work with macOS Ventura now.

View solution in original post

13 REPLIES 13

junjishimazaki
Valued Contributor

Are you using a configuration profile to escrow the FV key?

Yes, that's right. 

Then, what I would do next is remove computer from that FV configuration profile scope. Disable FV on that mac, and let it decrypt. Once the decryption completes. Scope that computer back to the FV configuration profile, then re-enable FV, select that option to escrow to your Jamf instance. Then run sudo jamf recon. 

Thanks! I'll give this a shot and report back.

Just curious, does your reissue FV key script uses the command: sudo fdesetup changerecovery -personal

Indeed it does. This is the script we use. It has worked well on all but one Mac affected by the lost FV key issue (in inventory record) in our environment: 

#!/bin/bash

####################################################################################################
#
# Copyright (c) 2017, JAMF Software, LLC.  All rights reserved.
#
#       Redistribution and use in source and binary forms, with or without
#       modification, are permitted provided that the following conditions are met:
#               * Redistributions of source code must retain the above copyright
#                 notice, this list of conditions and the following disclaimer.
#               * Redistributions in binary form must reproduce the above copyright
#                 notice, this list of conditions and the following disclaimer in the
#                 documentation and/or other materials provided with the distribution.
#               * Neither the name of the JAMF Software, LLC nor the
#                 names of its contributors may be used to endorse or promote products
#                 derived from this software without specific prior written permission.
#
#       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
#
# The purpose of this script is to allow a new individual recovery key to be issued
# if the current key is invalid and the management account is not enabled for FV2,
# or if the machine was encrypted outside of the JSS.
#
# First put a configuration profile for FV2 recovery key redirection in place.
# Ensure keys are being redirected to your JSS.
#
# This script will prompt the user for their password so a new FV2 individual
# recovery key can be issued and redirected to the JSS.
#
####################################################################################################
#
# HISTORY
#
# -Created by Sam Fortuna on Sept. 5, 2014
# -Updated by Sam Fortuna on Nov. 18, 2014
# -Added support for 10.10
#   -Updated by Sam Fortuna on June 23, 2015
#       -Properly escapes special characters in user passwords
# -Updated by Bram Cohen on May 27, 2016
# -Pipe FV key and password to /dev/null
# -Updated by Jordan Wisniewski on Dec 5, 2016
# -Removed quotes for 'send {${userPass}}     ' so
# passwords with spaces work.
# -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017
# - Fixed an issue with usernames that contain
# sub-string matches of each other.
# -Updated by Bram Cohen on Jan 3, 2018
# - 10.13 adds a new prompt for username before password in changerecovery
# -Updated by Matt Boyle on July 6, 2018
# - Error handeling, custom Window Lables, Messages and FV2 Icon
# -Updated by David Raabe on July 26, 2018
# - Added Custom Branding to pop up windows
# -Updated by Sebastien Del Saz Alvarez on January 22, 2021
# -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur
####################################################################################################
#
# Parameter 4 = Set organization name in pop up window
# Parameter 5 = Failed Attempts until Stop
# Parameter 6 = Custom text for contact information.
# Parameter 7 = Custom Branding - Defaults to Self Service Icon
#Customizing Window

selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png"
jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"
fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"

if [ ! -z "$4" ]
then
orgName="$4 -"
fi

if [ ! -z "$6" ]
then
haltMsg="$6"
else
haltMsg="Please Contact IT for Further assistance."
fi

if [[ ! -z "$7" ]]; then
brandIcon="$7"
elif [[ -f $selfServiceBrandIcon ]]; then
  brandIcon=$selfServiceBrandIcon
elif [[ -f $jamfBrandIcon ]]; then
  brandIcon=$jamfBrandIcon
else
brandIcon=$fileVaultIcon
fi


## Get the logged in user's name
userName=$(/usr/bin/stat -f%Su /dev/console)

## Grab the UUID of the User
userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}')

## Get the OS build
BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'`
if [ "${userCheck}" != "${userName}" ]; then
echo "This user is not a FileVault 2 enabled user."
exit 3
fi

## Counter for Attempts
try=0
if [ ! -z "$5" ]
then
maxTry=$5
else
maxTry=2
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed."
echo "${encryptCheck}"
exit 4
fi

passwordPrompt () {
## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass=$(/usr/bin/osascript -e "
on run
display dialog \"To generate a new FileVault key\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"$orgName FileVault Key Reset\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer
set userPass to text returned of the result
return userPass
end run")
if [ "$?" == "1" ]
then
echo "User Canceled"
exit 0
fi
try=$((try+1))
if [[ $BUILD -ge 13 ]] &&  [[ $BUILD -lt 17 ]]; then
## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
result=$(expect -c "
log_user 0
spawn fdesetup changerecovery -personal
expect \"Enter a password for '/', or the recovery key:\"
send {${userPass}}   
send \r
log_user 1
expect eof
" >> /dev/null)
elif [[ $BUILD -ge 17 ]]; then
result=$(expect -c "
log_user 0
spawn fdesetup changerecovery -personal
expect \"Enter the user name:\"
send {${userName}}   
send \r
expect \"Enter a password for '/', or the recovery key:\"
send {${userPass}}   
send \r
log_user 1
expect eof
")
else
echo "OS version not 10.9+ or OS version unrecognized"
echo "$(/usr/bin/sw_vers -productVersion)"
exit 5
fi
}

successAlert () {
/usr/bin/osascript -e "
on run
display dialog \"\" & return & \"Your FileVault Key was successfully Changed\" with title \"$orgName FileVault Key Reset\" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\"
end run"
}

errorAlert () {
 /usr/bin/osascript -e "
on run
display dialog \"FileVault Key not Changed\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\"
end run"
 if [ "$?" == "1" ]
  then
echo "User Canceled"
exit 0
else
try=$(($try+1))
fi
}

haltAlert () {
/usr/bin/osascript -e "
on run
display dialog \"FileVault Key not changed\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\"
end run
"
}

while true
do
passwordPrompt
if [[ $result = *"Error"* ]]
then
echo "Error Changing Key"
if [ $try -ge $maxTry ]
then
haltAlert
echo "Quitting.. Too Many failures"
exit 0
else
echo $result
errorAlert
fi
else
echo "Successfully Changed FV2 Key"
successAlert
exit 0
fi
done

 

The only way this works properly is that the user has secure token enabled.

Yes, I've confirmed that the user does have a secure token enabled on their local account.

junjishimazaki
Valued Contributor

What OS is that mac on?

macOS Ventura 13.1

daniel_behan
Contributor III

This script was updated last year and seems to work with macOS Ventura now.

noobody
New Contributor III

Thanks! Using this updated script was all that was needed.

aledesma
New Contributor II

Were there any additional steps you had to do for this to get done?

e.g. Have user turn off filevault first, or remove them from a particular FileVault profile? 
Can you please share detailed steps. We are experiencing a similar issue for 3 users. Thanks