Issuing a New FileVault 2 Recovery Key

You can issue a new FileVault 2 recovery key to computers with macOS 10.9 or later that have FileVault 2 activated. This allows you to do the following:

  • Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-encrypt the computers.

  • Replace an individual recovery key that has been reported as invalid and does not match the recovery key stored in Jamf Pro.

Note: You can create a smart group to verify the recovery key on computers on a regular basis. For information on FileVault 2 smart group criteria, see the following Knowledge Base article:

Smart Group and Advanced Search Criteria for FileVault 2 and Legacy File Vault

You can issue a new FileVault 2 recovery key to computers using a policy.

Requirements

To issue a new individual recovery key to a computer, the computer must have:

  • macOS 10.9 or later

  • A “Recovery HD” partition

  • FileVault 2 activated

  • One of the following two conditions met:

  • The management account configured as the enabled FileVault 2 user

  • An existing, valid individual recovery key that matches the key stored in Jamf Pro

To issue a new institutional recovery key to a computer, the computer must have:

  • macOS 10.9 or later

  • A “Recovery HD” partition

  • FileVault 2 activated

  • The management account configured as the enabled FileVault 2 user

Issuing a New FileVault 2 Recovery Key

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/16441954/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
    For an overview of the settings in the General payload, see General Payload.

  6. Select the Disk Encryption payload and click Configure.

  7. Choose "Issue New Recovery Key" from the Action pop-up menu.

  8. Select the type of recovery key you want to issue:

    • Individual—A new individual recovery key is generated on each computer and then submitted to Jamf Pro for storage.

    • Institutional—A new institutional recovery key is deployed to computers and stored in Jamf Pro.
      To issue a new institutional recovery key, you must choose the disk encryption configuration that contains the institutional recovery key you want to use.

    • Individual and Institutional—Issues both types of recovery keys to computers.

  9. Use the Restart Options payload to configure settings for restarting computers.
    For more information, see Restart Options Payload.

  10. Click the Scope tab and configure the scope of the policy.
    For more information, see Scope.

  11. (Optional) Click the Self Service tab and make the policy available in Self Service.
    For more information, see Making Items Available to Users in Jamf Self Service for macOS.

  12. (Optional) Click the User Interaction tab and configure messaging and deferral options.
    For more information, see User Interaction.

  13. Click Save.

Related Information

For related information, see the following sections in this guide:

For related information, see the following Knowledge Base article:

Smart Group and Advanced Search Criteria for FileVault 2 and Legacy FileVault
Learn about the smart computer group and advanced computer search criteria available for
FileVault 2.

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.