I do not like to ask user to enter the password

[mani2care]

Hi really nice work bit more in advanced can you change the work flow as like below

1) create the local user account and issues the new key for the user account without user intration. 2) use the JSS management account to do this without user intration ? what you thout this ?

i want to reisue the key without user intration is there any way to do this ?

[homebysix]

If you have a local account you use for Jamf management, and if that local account is already FileVault-authorized on your fleet, then yes - you can issue a new recovery key without any user interaction using these steps.

I think having a local FileVault-authorized account is not worth the security risks, given that most implementations use a shared password for this account.

If you don't already have a local FileVault-authorized management account, then you might have difficulty creating one programmatically. FileVault authorized accounts must have a "secure token" and must be authorized by an existing FileVault user, if FileVault is already enabled.

This script is aimed at administrators who don't already have some form of FileVault authorization, but want to escrow a fresh recovery key in the least invasive way possible. Currently, that requires a user prompt.