Jamf Nation Community

ooshnoo · ‎05-08-2019

I know this has been discussed before, but wanted a fresh take on it as it seems old methods are no longer supported.

We have numerous users who have enabled FileVault via System Preferences, and not by Jamf, therefore we don't know what their personal recovery keys are.

What is the best way...if there's a way...to redirect these keys to the Jamf server?

I've tried the config profile to escrow the key to the JamfPro server, but it doesn't seem to work even though the profile successfully installs. I look in the computer's management tab, and the key is still unknown.

Any of you wonderful folks have an idea?

Thanks!

Sichas · ‎05-08-2019

The escrow might be working, actually, but it doesn't have anything to escrow if the recovery key has already been set. You could think of the escrow process as basically "intercepting" a key that gets issued - so if the key was already issued, there's nothing to "intercept" anymore. Therefore, we can re-issue the key. Here's a script to accomplish this: https://github.com/homebysix/jss-filevault-reissue

Hope this helps a little :)

ooshnoo · ‎05-08-2019

@iMatthewCM thank you sir. will check it out.

elliotjordan · ‎06-16-2023

Hi! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that might be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!

Jamf Nation Community

Redirect personal filevault keys to Jamf