The prompt can happen in a few scenarios, user enters their password incorrectly and the system "offers" the recovery field or when you boot to recovery it will prompt you to unlock the drive to make changes. If you do not have a recovery key in an MDM or central server, the user may have encrypted the device on their own without recording it in which case your only real recourse is nuking the volume and starting over as there is no way to recover without a valid password or valid recovery key. If the user is off site, the FV password will be the previous password and then they will need to sign in again when it prompts with the new credentials. if the device auto boots to recovery its usually because of the user messing with the OS and it cannot boot correctly, it'll come directly to the unlock/recovery screen.Ĭhances are, if the device is AD bound and the user password was changed, they entered the password incorrectly as it will only sync the FileVault password if you're on network.
The recovery key is only used on an FileVault encrypted Mac. EFI firmware lock makes it so the device only boots from the internal drive and can only be changed using the cmd+r(recovery) combo, in which you need to enter the password, this is a low level lock. I do not know why this is hidden behind a "show key" button or I could be totally wrong, but from my understanding of Jamf Pro and the MDM Profile spec, this is what makes sense.So it seems that people are confusing the EFI firmware password and the recovery key. Therefore, both the location description and record number are not really needed, but displayed to the user if he fails to log in. Now with Jamf Pro, that is all not needed at all, as the location is always the Jamf Pro server and there the recovery key is stored in the inventory record. If you escrow the key, the User is displayed the "Escrow Location Description" and if needed to recover (3 failed login attempts at preboot authentication) he is shown both the "Escrow Location Description" AND the "Record number" Message, so he could use that to go to his IT Helpdesk and they could identify his computer in that server and find the recovery key. In Jamf Pro this is always the Jamf Pro Server (no other server possible to choose as a target).
If enabled, the escrowed key can be sent to any Server. As per Apples Spec the Key Escrow is optional. Using Configuration Profiles, we can enable FV2. I haven't had the time to test, but I believe this is just a not very good label here.ĪFAIK this is the value, you have put into your "Record number" Message field in the Config Profile to enable FV with Key escrow.
0 kommentar(er)
