Skip to main content

FileVault Personal Recovery Key is Not Showing in Jamf Pro

Updated over 3 weeks ago


Description

FileVault Personal Recovery Keys (PRKs) are essential for ensuring security and recoverability of encrypted devices. Jamf Pro plays a crucial role by securely escrowing these keys, enabling administrators to retrieve them when needed. It is critical to ensure that PRKs are properly configured and escrowed to prevent recovery issues.

When computers already FileVault encrypted before being added to Jamf or are missing the Recovery Key found under the computer inventory record in Jamf under Inventory > Disk Encryption, we can deploy a script via Jamf Pro policy to issue a new Personal Recovery Key which can be escrowed by Jamf Pro.

In cases where a password is not known, the PRK is not escrowed, and no other accounts can log in to reset the password, a different Apple method is needed to reset the password. If these options don't work, it may be necessary to erase and re-enroll the device, ensuring proper PRK escrow configuration during the re-enrollment process.

Reissuing the PRK with a Script

  1. Open the link to this script (https://github.com/jamf/FileVault2_Scripts) in a new tab, select the Code button, and then select Download ZIP.

  2. Unzip the file.

  3. Follow the steps below to add the script to Jamf Pro:

    1. Open Jamf Pro and navigate to Settings > Computer management > Scripts > New.

    2. Set a Display Name for this script.

    3. Click the Script tab and drag the reissueKey.sh script from the unzipped folder from step 2 into the "Script Contents" field in Jamf. Once we release the mouse button the script contents should appear in the "Script Contents" box within Jamf.

    4. Click the Save button.

  4. If it doesn't already exist in Jamf Pro, create a configuration profile to escrow the Personal Recovery Key. If a configuration profile with the escrow personal recovery key exists, skip to step 5.

    1. Go to Computers > Configuration Profiles > New and give the configuration profile a name.

    2. Click on the Security & Privacy payload and select Configure.

    3. Click the FileVault tab.

    4. At minimum click the toggle to Include Escrow Personal Recovery Key and fill in the Escrow Location Description.

    5. Add computers to the Scope of the configuration profile and hit Save.

  5. Create a policy to deploy the script:

    1. In Jamf Pro, navigate to Computers > Policies > New.

    2. On the General tab: specify a "Display Name" for the policy, set the Trigger to "Recurring Check-in", and leave the Frequency on "Once Per Computer".

    3. Click Scripts and hit Configure

    4. Click Add for the reissueKey.sh script created in step 3.

    5. Select the Maintenance payload, click Configure and leave "Update Inventory" checked. This will force the computer to submit inventory when the policy runs.

    6. Click on Scope and add desired computers or computer groups to the scope.

    7. Click Save.

  6. Once the policy is pushed out to the computer, it should reissue a key for the computer. After the computer submits inventory (at least one time if not two), the new key will be escrowed in Jamf under the computer inventory record in Inventory > Disk Encryption.

Related Articles
Enabling FileVault via Configuration Profile with Jamf Pro
FileVault Configuration Profile Certificate in Jamf Pro
Allow users in Jamf Pro permission to view FileVault Recovery Keys
Issues Using the "Issue New Recovery Key" Policy Option
How To Export Filevault Recovery Keys Via The Jamf Pro Portal
Did this answer your question?