Issuing a New FileVault Recovery Key for a Computer

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

You can use a policy to issue a new FileVault recovery key to computers with macOS 10.14 or later that have FileVault activated. This allows you to do the following:

  • Replace a personal (also known as "individual") recovery key that has been reported as invalid and does not match the recovery key stored in Jamf Pro.

  • Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-encrypt the computers.

Requirements
To issue a new personal recovery key to a computer, the computer must have:

  • FileVault activated

  • One of the following two conditions met:

    • An existing, valid personal recovery key that matches the key stored in Jamf Pro

    • A FileVault enabled user account with a secure token

To issue a new institutional recovery key to a computer, the computer must have:

  • FileVault enabled

  • A FileVault enabled user account with a secure token

  1. In Jamf Pro, click Computers in the sidebar.
  2. Click Policies in the sidebar.
  3. Click New.
  4. In the General payload, enter a display name for the policy (e.g., "FileVault New Personal Recovery Key").
  5. Select a trigger and execution frequency.
  6. Select the Disk Encryption payload and click Configure.
  7. Choose "Issue New Recovery Key" from the Action pop-up menu.
  8. Choose the type of recovery key you want to issue from the Recovery Key Type pop-up menu:
    • IndividualA new personal (also known as "individual") recovery key is generated on each computer and then submitted to Jamf Pro for storage.
    • InstitutionalA new institutional recovery key is deployed to computers and stored in Jamf Pro.
    • Individual and InstitutionalIssues both types of recovery keys to computers.

    If you chose "Institutional" or "Individual and Institutional", choose the disk encryption configuration to use to issue the new recovery key from the Disk Encryption Configuration for Institutional Key pop-up menu.

  9. Click the Scope tab and configure the scope of the policy.
  10. Click Save .
The policy runs on computers in the scope the next time they check in with Jamf Pro, prompting FileVault enabled users to enter their password to repair the encryption key.