Skip to main content

FileVault Personal Recovery Key is Not Showing in Jamf Pro

Updated over 2 weeks ago


​Issue Description

The computer was already FileVault encrypted before being added to Jamf or is missing the Recovery Key found under the computer inventory record in Jamf under Inventory > Disk Encryption.

Troubleshooting Steps

We can deploy a script via Jamf Pro policy to issue a new Personal Recovery Key which can be escrowed by Jamf Pro.

  1. Open the link to this script (https://github.com/jamf/FileVault2_Scripts) in a new tab, select the Code button, and then select Download ZIP.

  2. Unzip the file.

  3. Follow the steps below to add the script to Jamf Pro:

    1. Open Jamf Pro and navigate to Settings > Computer management > Scripts > New.

    2. Set a Display Name for this script.

    3. Click the Script tab and drag the reissueKey.sh script from the unzipped folder from step 2 into the "Script Contents" field in Jamf. Once we release the mouse button the script contents should appear in the "Script Contents" box within Jamf.

    4. Click the Save button.

  4. If it doesn't already exist in Jamf Pro, create a configuration profile to escrow the Personal Recovery Key. If a configuration profile with the escrow personal recovery key exists, skip to step 5.

    1. Go to Computers > Configuration Profiles > New and give the configuration profile a name.

    2. Click on the Security & Privacy payload and select Configure.

    3. Click the FileVault tab.

    4. At minimum click the toggle to Include Escrow Personal Recovery Key and fill in the Escrow Location Description.

    5. Add computers to the Scope of the configuration profile and hit Save.

  5. Create a policy to deploy the script:

    1. In Jamf Pro, navigate to Computers > Policies > New.

    2. On the General tab: specify a "Display Name" for the policy, set the Trigger to "Recurring Check-in", and leave the Frequency on "Once Per Computer".

    3. Click Scripts and hit Configure

    4. Click Add for the reissueKey.sh script created in step 3.

    5. Select the Maintenance payload, click Configure and leave "Update Inventory" checked. This will force the computer to submit inventory when the policy runs.

    6. Click on Scope and add desired computers or computer groups to the scope.

    7. Click Save.

  6. Once the policy is pushed out to the computer, it should reissue a key for the computer. After the computer submits inventory (at least one time if not two), the new key will be escrowed in Jamf under the computer inventory record in Inventory > Disk Encryption.


Did this answer your question?