Skip to main content

Issues Using the "Issue New Recovery Key" Policy Option

Updated over 2 weeks ago

Issue Description

UNDERSTANDING THE "ISSUE NEW RECOVERY KEY" POLICY

The "Issue New Recovery Key" option is available in the Disk Encryption payload and is used for the following purposes:

  • \n Rotating the Recovery Key

    • The current recovery key has been compromised or is no longer secure.

  • \n Re-escrowing the Recovery Key

    • If the recovery key is not correctly stored in Jamf Pro (e.g., due to a configuration error), this option generates a new key and escrows it properly.

  • Ensuring Compliance

    • Helps maintain device security during a security audit or to meet compliance requirements.

In some cases, the "Issue New Recovery Key" policy may fail and return the following error: "Error: Authentication error"

This issue typically occurs for one of the following reasons:

  • Invalid Personal Recovery Key (PRK): For the policy to succeed, the currently escrowed PRK in the device record must be valid. A valid PRK allows the policy to re-issue and escrow a new PRK successfully. If the existing PRK is invalid, the policy will fail.

  • Jamf Management Account Lacks a Secure Token: If a valid PRK is unavailable, the policy will fall back to using the Jamf Management Account and its LAPS (Local Administrator Password Solution) password to re-issue the recovery key. However, if the Jamf Management Account does not have a Secure Token (a common scenario if the account has never been logged into), the policy will fail.

Troubleshooting Steps

  1. The most tedious way to get the policy to work would be to make sure that the Jamf Management account has secure token. If bootstrap token has already been escrowed, you can simply log into the Jamf Management account and it will collect a secure token upon login. Once it has secure token, the policy should work.

  2. The most efficient way to get this working again would be to utilize a configuration profile to escrow the recovery key and utilize one of the following scripts to re-escrow a new recovery key: Use a ReissueKey script using this Knowledge Article: FileVault Personal Recovery Key is not showing in Jamf Pro

More Resources

Did this answer your question?