Issuing a New FileVault Recovery Key

You can use a policy to issue a new FileVault recovery key to computers with macOS 10.14 or later that have FileVault activated. This allows you to do the following:

  • Replace a personal (also known as "individual") recovery key that has been reported as invalid and does not match the recovery key stored in Jamf Pro.

  • Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-encrypt the computers.

Requirements

To issue a new personal recovery key to a computer, the computer must have:

  • macOS 10.14 or later

  • A “Recovery HD” partition

  • FileVault activated

  • One of the following two conditions met:

    • The management account configured as the enabled FileVault 2 user with a SecureToken.
      For information on SecureToken, see Apple's Deployment Reference for Mac.

    • An existing, valid personal recovery key that matches the key stored in Jamf Pro.

To issue a new institutional recovery key to a computer, the computer must have:

  • macOS 10.14 or later

  • A “Recovery HD” partition

  • FileVault enabled

  • The management account configured as the enabled FileVault 2 user

Issuing a New FileVault Recovery Key to Computers

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/81549035/Icon_New_Button.png .

  5. In the General payload, enter a display name for the policy. For example, “FileVault New Personal Recovery Key“.

    images/download/attachments/81549035/FileVault_GeneralPayload.png
  6. Select a trigger and execution frequency.

  7. Select the Disk Encryption payload and click Configure.

  8. Choose “Issue New Recovery Key” from the Action pop-up menu.
    images/download/attachments/81549035/FileVault_IssueNewRecKyComp2.png

  9. Choose the type of recovery key you want to issue from the Recovery Key Type pop-up menu:

    • Individual—A new personal (also known as "individual") recovery key is generated on each computer and then submitted to Jamf Pro for storage.

    • Institutional—A new institutional recovery key is deployed to computers and stored in Jamf Pro.

    • Individual and Institutional—Issues both types of recovery keys to computers.

    If you chose “Institutional” or “Individual and Institutional”, choose the disk encryption configuration to use to issue the new recovery key from the Disk Encryption Configuration for Institutional Key pop-up menu.
    images/download/attachments/81549035/FileVault_IssueNewRecKey4.png

  10. Click the Scope tab and configure the scope of the policy.

    images/download/attachments/81549035/FileVault_IssueNewRecKyComp3.png

  11. Click Save.

The policy runs on computers in the scope the next time they check in with Jamf Pro, prompting enabled users.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.