Jamf

UNDERSTANDING THE "ISSUE NEW RECOVERY KEY" POLICY

The "Issue New Recovery Key" option is available in the Disk Encryption payload and is used for the following purposes:

- The current recovery key has been compromised or is no longer secure.
   

- If the recovery key is not correctly stored in Jamf Pro (e.g., due to a configuration error), this option generates a new key and escrows it properly.

- Helps maintain device security during a security audit or to meet compliance requirements.

- \n Rotating the Recovery Key
  - The current recovery key has been compromised or is no longer secure.
     
- \n Re-escrowing the Recovery Key
  - If the recovery key is not correctly stored in Jamf Pro (e.g., due to a configuration error), this option generates a new key and escrows it properly.
   
- Ensuring Compliance
  - Helps maintain device security during a security audit or to meet compliance requirements.
   

In some cases, the "Issue New Recovery Key" policy may fail and return the following error: "Error: Authentication error"

This issue typically occurs for one of the following reasons:

Invalid Personal Recovery Key (PRK): For the policy to succeed, the currently escrowed PRK in the device record must be valid. A valid PRK allows the policy to re-issue and escrow a new PRK successfully. If the existing PRK is invalid, the policy will fail.

- Invalid Personal Recovery Key (PRK): For the policy to succeed, the currently escrowed PRK in the device record must be valid. A valid PRK allows the policy to re-issue and escrow a new PRK successfully. If the existing PRK is invalid, the policy will fail.

Jamf Management Account Lacks a Secure Token: If a valid PRK is unavailable, the policy will fall back to using the Jamf Management Account and its LAPS (Local Administrator Password Solution) password to re-issue the recovery key. However, if the Jamf Management Account does not have a Secure Token (a common scenario if the account has never been logged into), the policy will fail.

- Jamf Management Account Lacks a Secure Token: If a valid PRK is unavailable, the policy will fall back to using the Jamf Management Account and its LAPS (Local Administrator Password Solution) password to re-issue the recovery key. However, if the Jamf Management Account does not have a Secure Token (a common scenario if the account has never been logged into), the policy will fail.

The most tedious way to get the policy to work would be to make sure that the Jamf Management account has secure token. If bootstrap token has already been escrowed, you can simply log into the Jamf Management account and it will collect a secure token upon login. Once it has secure token, the policy should work. 

The most efficient way to get this working again would be to utilize a configuration profile to escrow the recovery key and utilize one of the following scripts to re-escrow a new recovery key: Use a ReissueKey script using this Knowledge Article: <a href="https://intercom.help/jamfsupport/en/articles/11016721-filevault-personal-recovery-key-is-not-showing-in-jamf-pro" rel="nofollow noopener noreferrer" target="_blank">FileVault Personal Recovery Key is not showing in Jamf Pro</a>

1. The most tedious way to get the policy to work would be to make sure that the Jamf Management account has secure token. If bootstrap token has already been escrowed, you can simply log into the Jamf Management account and it will collect a secure token upon login. Once it has secure token, the policy should work. 
 
2. The most efficient way to get this working again would be to utilize a configuration profile to escrow the recovery key and utilize one of the following scripts to re-escrow a new recovery key: Use a ReissueKey script using this Knowledge Article: <a href="https://intercom.help/jamfsupport/en/articles/11016721-filevault-personal-recovery-key-is-not-showing-in-jamf-pro" rel="nofollow noopener noreferrer" target="_blank">FileVault Personal Recovery Key is not showing in Jamf Pro</a>

- <a href="https://github.com/macadmins/escrow-buddy" rel="nofollow noopener noreferrer" target="_blank">https://github.com/macadmins/escrow-buddy</a> 
- <a href="https://www.youtube.com/watch?v=DDv8YCP041o" rel="nofollow noopener noreferrer" target="_blank">https://www.youtube.com/watch?v=DDv8YCP041o</a>

- Escrow Buddy 
 - <a href="https://github.com/macadmins/escrow-buddy" rel="nofollow noopener noreferrer" target="_blank">https://github.com/macadmins/escrow-buddy</a> 
 - <a href="https://www.youtube.com/watch?v=DDv8YCP041o" rel="nofollow noopener noreferrer" target="_blank">https://www.youtube.com/watch?v=DDv8YCP041o</a>

Issues Using the "Issue New Recovery Key" Policy Option

Create a custom design with text, images, and links

Community

Training

Login

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Issues Using the "Issue New Recovery Key" Policy Option

Issue Description

Troubleshooting Steps

More Resources