Explainations needed - FileVault 2 Escrow recovery key parameters

fdeltesta
Contributor

Hello, I'm about to enable filevault disk encryption for our company's macs, but I wanna make sure I do everything correctly to avoid any problems.

And I quite puzzled on what some parameters mean I the filevault configuration profile payload:

We chose to only use individual recovery keys for more security so i ticked Require File Vault 2 and Create individual recovery key.
Since we need to get those recovery keys back to Jamf, I obviously ticked Enable Escrow Personal Recovery Key but then here's where I get lost.
I don't know what is the Escrow location description and the "Record number" message.

Plus, I don't know what difference it makes to select whether automatic encryption or manual encryption (then the JSS redir cert).

I can't seem to find any infos about this in the documentations.
Any clues on what those informations are ? And any advice on how I should proceed to deploy such a thing ?

Thanks in advance.

1 ACCEPTED SOLUTION

Scott_Watkins
New Contributor II

Escrow location description - This is something told to the user. This is just to let the user know where the key will be stored. For example you could write. "This key will be securely stored with your IT department."

Record number - This is something shown to the user when they have forgotten their password. When it asks them to enter the recovery key there is a record number there. This should be a unique reference they can give to IT to help them find the key in jamf.

In would recommend letting jamf handle the encryption of the recovery keys. They give you the option of using your own details to encrypt the keys.

View solution in original post

3 REPLIES 3

Scott_Watkins
New Contributor II

Escrow location description - This is something told to the user. This is just to let the user know where the key will be stored. For example you could write. "This key will be securely stored with your IT department."

Record number - This is something shown to the user when they have forgotten their password. When it asks them to enter the recovery key there is a record number there. This should be a unique reference they can give to IT to help them find the key in jamf.

In would recommend letting jamf handle the encryption of the recovery keys. They give you the option of using your own details to encrypt the keys.

fdeltesta
Contributor

Thanks @Scott.Watkins this indeed clarifies the subject.

Though, what do you mean by letting jamf handling the encryption ? Do i set it to automaticaly encrypt and decript or do i set it to manual and then select the JSS cert ?

Scott_Watkins
New Contributor II

Just set it to automatically do it.