Posted on 09-19-2017 03:51 AM
On 10.12 and below we have the below config in place scoped to all devices.
for 10.13 I understand the key redirect payload is no longer applicable. But exactly what keys should i enable and disable for this to work on 10.13? I have tried removing the the key redirect and enabling personal recovery key but I get invalid keys reporting in the JSS with what ever options i enable. Also it takes hours now on 10.13 vs minutes on 10.12 for encryption to complete.
Will it also mean i need 2 config profiles. 1 - scoped to 10.12 and below and another scoped to 10.13 devices?
Posted on 09-19-2017 05:42 AM
Fortunately you'll only need one, new configuration profile. If you'll configure it with both the old FileVault Recovery Key Redirection payload and the new FileVault Recovery Key Escrow, the first one will be ignored on 10.13, while the second one will be unrecognised (thus ignored) on 10.12.6 and below. Apple confirmed it in cautions of payload's documentation.
Checking Enable Escrow Personal Recovery Key and providing location and encryption method should be sufficient for it to work properly. But I haven't finished my tests on this, partly due to encryption time issue you've mentioned that is a true nightmare. I'll get back to you with my findings.
Posted on 09-19-2017 06:33 AM
@bartlomiej.sojka I’ve managed to get this to work by enabling Escrow Personal Recovery Key and removing FV recovery key redirection.
I found that if you had 1 profile scoped to 10.12 and 10.13 devices and combined the redirect key payload with the new 10.13 required FV keys it was causing key invalidation with 10.13 clients.
JAMF support confirmed the need separate config profiles for 10.12 below and 10.13.
*PS - it takes hours to to encrypt a 250GB APFS volume with 2016 TB MBP on 10.13 GM. Same device on Sierra took no more than 20 mins.