DEP Enrolled Machines that cannot Escrow

[aryzarrin]

"[WARNING] FileVault key was generated, but escrow cannot be confirmed. Please verify that the redirection profile is installed and the Mac is connected to the internet."

Occasionally receiving this message. The drive is fully encrypted and running either 10.12.6 or at least 10.13.4.

On machines that are User Initiated Enrollment / Quick-Added to our Jamf Pro environment I am able to remove the mdm profile and re-enroll via sudo jamf removeMDMprofile followed sudo jamf mdm. The policy then runs without issue and updates in our Jamf Pro environment.

However, if a computer is enrolled in DEP the issue persists even after the removal and re-addition of the configuration profiles. I am attempting to see if the drive being unencrypted and encrypted again resolves the issue but the device I am testing this with has not finished that process. Also posting to Jamfnation in case.

[aryzarrin]

This was an Issue with a Jamf configuration profile conflict.

Units running High Sierra and Newer can simply check the box to Escrow FileVault Recovery Keys. Units running Sierra and older need to have a separate Security and Privacy payload, as well as a FileVault Recovery Key Re-Direction payload.