Skip to main content

FileVault Configuration Profile Certificate in Jamf Pro

Updated over 2 weeks ago

Description

The FileVault configuration profile certificate that is auto-generated in Jamf Pro is set to expire every 5 years. This certificate listed allows Jamf Pro to be able to decrypt the encrypted personal recovery key that is coming from the device escrowing the key to Jamf Pro. When it comes time for renewal, the certificate should automatically renew within Jamf Pro under Settings > Global > PKI certificates > Jamf Pro Built-in CA > CN=JSS Built-In Signing Certificate, OU=FILEVAULT2COMM.

Even if we see the auto-generated certificate listed within Jamf Pro under Computers > Configuration Profiles > select the FileVault profile > Certificates is expired, Jamf Pro will still be able to view the valid recovery key that is escrowed into Jamf Pro.

  • Jamf uses the certificate in the profile with its public key to encrypt the PRK before sending it up to Jamf Pro

  • Jamf Pro has the private key associated with the certificate so it can decrypt the PRK without issues

  • Later, when the certificate expires, the public key and private key are still the same so Jamf Pro can continue to decrypt the PRKs it has

  • Since the certificate was created from the built-in CA it's trusted so it can still be used on the Mac, despite showing as expired

Note: Do not try to deploy a second configuration profile for FileVault. The profile will fail on a loop if it already has a FileVault profile installed as computers cannot have two com.apple.security.FDERecoveryRedirect payloads installed at once.

Updating Your Certificate for FileVault Configuration Profile

If we would like to update the certificate listed for the configuration profile after the auto-renewal of the CN=JSS Built-In Signing Certificate, OU=FILEVAULT2COMM certificate, we would want to take the steps below:

  1. Open the profile in Jamf Pro.

  2. Click Edit in the bottom-right corner.

  3. Click Certificates payload and click the X button in the upper-right corner.

  4. Click Save in the bottom-right corner.

  5. A new copy of the valid, unexpired FileVault2 COMM certificate will be attached to the payload again. We can then redistribute the profile to all devices.

Will newly-generated personal recovery keys still escrow properly when this certificate is expired?

  • Yes! macOS will still use the previously-installed certificate to encrypt the PRK locally and while in transit to Jamf Pro. Once escrowed on the next SecurityInformation query, Jamf Pro can properly decrypt the PRK to make it available for IT admins.


Related Articles
FileVault Behavior with Jamf Connect
Enabling FileVault via Configuration Profile with Jamf Pro
FileVault Personal Recovery Key is Not Showing in Jamf Pro
Issues Using the "Issue New Recovery Key" Policy Option
Managing FileVault with Jamf School
Did this answer your question?