Issuing a New FileVault Recovery Key

You can use a policy to issue a new FileVault recovery key to computers with OS X v10.11 that have FileVault activated. This allows you to do the following:

  • Replace an individual recovery key that has been reported as invalid and does not match the recovery key stored in the JSS.

  • Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-encrypt the computers.

Requirements

To issue a new individual recovery key to a computer, the computer must have:

  • OS X v10.11

  • A “Recovery HD” partition

  • FileVault activated

  • One of the following conditions met:

    • The management account configured as the FileVault-enabled user

    • An existing, valid individual recovery key that matches the key stored in the JSS

To issue a new institutional recovery key to a computer, the computer must have:

  • OS X v10.11

  • A “Recovery HD” partition

  • FileVault activated

  • The management account configured as the FileVault-enabled user

Issuing a New FileVault Recovery Key to Computers

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Policies.
    On a smartphone, this option is in the pop-up menu.

  4. Click New images/download/thumbnails/5832871/New_icon.png .

  5. In the General payload, enter a display name for the policy. For example, “FileVault New Individual Recovery Key“.

    images/download/attachments/12979831/DEC_Policy.png

  6. Select a trigger and execution frequency.

  7. Select the Disk Encryption payload and click Configure.

  8. Choose “Issue New Recovery Key” from the Action pop-up menu.
    images/download/attachments/12979831/IssueKey_Individual.png

  9. Choose the type of recovery key you want to issue from the Recovery Key Type pop-up menu:

    • Individual—A new individual recovery key is generated on each computer and then submitted to the JSS for storage.

    • Institutional—A new institutional recovery key is deployed to computers and stored in the JSS.

    • Individual and Institutional—Issues both types of recovery keys to computers.

    If you chose “Institutional” or “Individual and Institutional”, choose the disk encryption configuration to use to issue the new recovery key from the Disk Encryption Configuration for Institutional Key pop-up menu.

    images/download/attachments/12979831/IssueKey_Institutional.png

  10. Click the Scope tab and configure the scope of the policy.
    Note: If applicable, you can use the smart computer group you created in “Creating a Smart Group of Computers with an Invalid Individual Recovery Key” as the scope for the policy.

    images/download/attachments/12979831/Scope.png

  11. Click Save.

The policy runs on computers in the scope the next time they check in with the JSS and meet the criteria in the General payload.

Copyright | Privacy | Terms of Use | Security
Copyright JAMF Software, LLC 2016