Help

FileVault 2 Recovery Key Device Key

bmarks
Contributor II

Posted on ‎03-15-2018 01:33 PM

I searched but I couldn't find any info. Does anyone know why there is a second entry on the FileVault 2 tab of the Management section of a computer record in the JSS (i.e. when you are trying to view your personal key?)

FILEVAULT 2 RECOVERY KEY DEVICE KEY

It looks like it is followed by the device's serial number, but I'm not sure why this is being displayed or what the practical use would be.

0 Kudos
6 REPLIES 6

bartlomiejsojka
Contributor
Contributor

Posted on ‎03-19-2018 02:53 AM

From 10.13, if you'd use the new recovery key escrow method of Security & Privacy CP payload, there's a DEVICE KEY field you can populate with some useful information regarding the machine, e.g. asset tag. This, together with ESCROW LOCATION, go to following placeholders when attempting to decrypt Mac with recovery key:

Type the recovery key Your recovery key has been archived at <escrowlocation>. Contact your system administrator to retrieve it. You may be asked to provide the following information: Serial Number: ############# Record Number: <devicekey>

Thanks to FILEVAULT 2 RECOVERY KEY DEVICE KEY you can verify what device key has been set on this particular Mac.

0 Kudos

doschupp
New Contributor II

Posted on ‎03-20-2018 07:27 AM

The FileVault 2 Recovery Key Device Key can be set with the "record number" message in the FileVault profile ("Security & Privacy" payload). If you leave this empty, the serial number will be displayed instead.

This value is displayed if you want to unlock the Mac with the recovery key.

0 Kudos

cainehorr
Contributor III

Posted on ‎05-07-2018 06:30 PM

So far, the two answers given still don't actually answer the OP's question.

Great - it's supposed to return the serial number (if left blank) or return a devicekey... but that is manually filled out.

I think what the OP wants to know is, what would you put in the field - considering it's a manual entry?

Where does this devicekey come from? The payload gets set once - so whatever is in there appears for all devices in the fleet. How does that help?

Unless there's something else being put in there that provides unique data per device...

Is this linked to an EA perhaps? I haven't found any relevant info on this either.

I'd like to know too...

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

0 Kudos

bartlomiejsojka
Contributor
Contributor

Posted on ‎05-08-2018 01:28 AM

@cainehorr, ever heard of Apple's and JAMF's payload variables? I think these answer your questions quite well.

0 Kudos

cainehorr
Contributor III

Posted on ‎05-08-2018 01:41 AM

Yes, familiar.

Still... Not seeing the relationship in this particular case.

Anybody care to post an actual workflow?

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

0 Kudos

rickwhois
Contributor

Posted on ‎04-04-2019 08:44 AM

at risk of being ridiculed ;) does anyone else know where the Recovery Key Device Key is stored in Jamf Pro?

I should clarify, I'm referring to Recovery Key Device Key not the actual Recovery Key that is shown in FV2 Management

anyone know if this device key is stored in jamf so that we can verify it when retrieving the recovery key?

(nevermind) the device key shows up for me now under the recovery key

0 Kudos