When a device is FileVaulted via our native Security and Privacy MDM Configuration or via GoLive, the recovery key is automatically escrowed and available in GoLive >> Security.
However, if a FileVaulted device's key did not escrow, the following remediation methods can be attempted.
The Community Manual FileVault Escrow Script
We have a Community script called Manual FileVault Escrow that can be copied to the Devices page and deployed to affected devices:
Adding Community Scripts into your Environment
Addigy FileVault Manager
An alternative method is to use the Addigy FileVault Manager to escrow the key.
- Have Addigy agent installed
- Have the ability to reset the key or have the key already
- Ability to place a file on devices. Files can be deployed via Custom Software.
Escrowing the Key
Obtain the key. If you don’t have the key and know the username & password of the existing system, you can use the following command: sudo fdesetup changerecovery -personal
Copy the key, paste it into a plist file, and format the file so it can be escrowed to Addigy (An example plist file is available below).
Save the key file and move it to /Library/Addigy/fv-escrows directory.
Run /Library/Addigy/filevault-manager -escrow. The key will be escrowed to Addigy.
The key should be available in GoLive >> Security.