Generating a New FileVault Key for Escrowing with Jamf Now

For Jamf Now to successfully store a FileVault recovery key, the Mac must be managed by Jamf Now during the time of encryption. In the case where the Mac was encrypted prior to being managed by Jamf Now, a few additional steps must be taken to get the FileVault recovery key stored in Jamf Now successfully.

Requirements

  • Ensure the Enable FileVault checkbox is selected under the Security tab of the Blueprint associated with the Mac in Jamf Now.

    Screenshot of a Blueprint's Security section, showing that the Enable FileVault checkbox is selected.

  • Ensure the Mac has received the correct profiles under System Preferences > Profiles on the Mac.

    Screenshot of Mac profiles in System Preferences on a Mac.

  1. Open the Terminal application on the Mac.
  2. Run the following command in Terminal:
    sudo fdesetup changerecovery -personal
  3. Complete the follow-up prompts in Terminal, including the local account user name and password.

    Once complete, you should see the new FileVault recovery key displayed within the Terminal session.

    Screenshot of the new FileVault recovery key in the Terminal.

  4. Log in to Jamf Now.
  5. Click Devices, and then select the appropriate device.
  6. Click Sync in the upper-right corner.
The Mac will be inventoried with Jamf Now, and the recovery key will display on the Data Protection card in the device dashboard.

Screenshot of option to show the recovery key.