How to Reissue a Recovery Key for FileVault in Jamf Pro version 9 General Monday, 08 May 2017 Click to view PDF. Individual recovery keys are created and stored in the JSS when the encryption takes place. To use an institutional recovery key, you must first create and export a recovery key using Keychain Access. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time. That can include institutional ones. © copyright 2002-2020 Jamf. All rights reserved. The individual recovery key is generated on the computer and sent back to Jamf Pro for storage when the encryption takes place. Institutional keys are shared throughout the organization. 15) This is where you would then select "Use an Institutional recovery key" or "Use an institutional recovery key and create a personal FileVault recovery key" 16) Next you will then select the certificate you previously upload to the profile and select "Save" to close the profile. You can choose to use both recovery keys (individual and institutional) together in Jamf Pro. Institutional keys are shared throughout the organization. Revenue grew 29% … To issue a new institutional recovery key, you must choose the disk encryption configuration that contains the institutional recovery key you want to use. Creating and Exporting an Institutional Recovery Key. Device Recovery Key: Institutional Recovery Key: Disk Encryption Configuration: FileVault 2 Enabled Users Local User Accounts Category: UID: Username: Full Name: Admin: Home Directory: ... Jamf Imaging logs : Management history (completed, pending, and failed management commands) Hardware/software history : Creating a Institutional FileVault Recovery Key on Mac OS X. The zip file contains sample files. These advanced steps are for system administrators and others who are familiar with the command line. You can use the Certificate payload to upload an institutional recovery key to Jamf Pro. Log in to the JSS; Go to Computers. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time. This type of recovery key cannot be used to unlock a user's startup disk. Key Points Jamf said the number of Apple devices on its platform increased from 17.2 million to 18.6 million in just a three-month stretch. Institutional—Uses a shared recovery key. When I look at the certificate used for the Institutional Recovery Key, it expires in March 2019. Then, save the items as a .p12 file.The .p12 file is a bundle that contains both the FileVault Recovery Key and the private key. Jamf Pro 10.7.1 or Later This requires you to create the recovery key with Keychain Access and upload to the JSS for storage. Copyright     Privacy Policy     Terms of Use     Security If you export without the private key, you must store it in a secure location so you can access it when needed. From the menu bar, choose "Export Items" from the File pop-up menu. You can export the recovery key with or without the private key. —Uses a single recovery key that is shared by client computers. At some point as an administrator you'll be faced with the scenario whereby you'll need to gain institutional access to a Mac, you'll need to create what's known as a Institutional Recovery Key. Last Name * Required. If you export without the private key, you must store it in a secure location so you can access it when needed. Do not select the private key associated with the certificate. Step 5 Launch Casper Admin then upload the reissue_filevault_recovery_key.sh and your DMG or your logos to your Jamf Pro server. With the Casper Suite, you can choose to use one or both types of recovery keys. I can't find any info on this. It's a self signed certificate (created like this). Exporting with the private key allows you to store it in Jamf Pro. : You cannot use an institutional recovery key with a private key to activate FileVault Disk Encryption using a configuration profile in Jamf Pro. If user doesn't know hostname or serial, go to Users and search for Kerberos ID. If you chose “Institutional” or “Individual and Institutional”, choose the disk encryption configuration to use to issue the new recovery key from the Disk Encryption Configuration for Institutional Key pop-up menu. Jamf Pro - FileVault 2 Encryption To encrypt your Macs with FileVault 2 follow these steps. This content cannot be displayed without JavaScript.Please enable JavaScript and reload the page. You can export the recovery key with or without the private key. If you are coming to this article from a Google search, rest assured, the problem you are having can be solved with this trick. Exporting with the private key allows you to store it in the Jamf makes integrations of Apple Silicon M1 chip devices smooth sailing Apple's ARM-based M1 chip heralds enormous leaps in efficiency and speed of Apple devices. An institutional recovery key (IRK) allows you to recover your users' FileVault-encrypted data when they can't remember their Mac login password. Step 4 The rest of the VARIABLES section can be customized to your needs. This content cannot be displayed without JavaScript.Please enable JavaScript and reload the page. Please choose carefully. A few years ago, I discovered a really useful trick in Jamf Pro, and it was restoring a deleted profile. For Jamf Now to successfully store a FileVault recovery key, the Mac must be managed by Jamf Now during the time of encryption. You must create and deploy the disk encryption configuration using a policy in Jamf Pro. Be sure to select the proper version for 10.12 or 10.13 ... Let’s check our work to make sure the FileVault key was escrowed to the Jamf Pro Server: a. Click the Computers button. Enter a password for the new keychain when prompted.A keychain (FileVaultMaster.keychain) is created in the following location:/Library/Keychains/. Change the values of PayloadOrganization and Location as needed to match your organization. Jamf Now, formerly Bushel, is a cloud-based MDM solution for the iPad, iPhone and Mac devices in your workplace. If the recovery key is an “Institutional” recovery key, click Download to download it. Log in. Restore a deleted Jamf profile. Institutional—A new institutional recovery key is deployed to computers and stored in Jamf Pro. Creating a Institutional FileVault Recovery Key on Mac OS X At some point as an administrator you’ll be faced with the scenario whereby you’ll need to gain institutional access to a Mac, you’ll need to create what’s known as a This requires you to create the recovery key with Keychain Access and upload to Jamf Pro for storage. Creating an Institutional Recovery Key If you want to use an institutional recovery key on a Mac encrypted with FileVault 2, you need to create and configure a FileVaultMaster keychain. At some point as an administrator you’ll be faced with the scenario whereby you’ll need to gain institutional access to a Mac, you’ll need to create what’s known as a Institutional Recovery… Exporting with the private key allows you to store it in the JSS. That said, having an institutional recovery key is a bit of a risk, since a single key will unlock all of your systems. Personal recovery keys are a better option, IMHO. This instance name will become your production instance should you choose to … © copyright 2002-2018 Jamf. Personal recovery keys can function as a passphrase and unlock or decrypt the encrypted disk. Institutional—Uses a shared recovery key. b. This requires you to create the recovery key with Keychain Access and upload to Jamf Pro for storage. For Jamf Now to successfully store a FileVault recovery key, the Mac must be managed by Jamf Now during the time of encryption. You can choose to use both recovery keys (personal and institutional) together in Jamf Pro. If Jamf Nation does not continue to thrive as we grow and expand our business, or if content posted on Jamf Nation is inaccurate, incomplete or misleading, our business could be adversely affected. Selecting this option The recovery key … It also may create challenges for developers working on a universal binary for their apps, as well as for admins when integrating these new powerhouses into their existing fleets. Beware that creating the FileVault Institutional Key is kind of like creating the keys to the kingdom, so keep it safe at all costs! This requires you to create the recovery key with Keychain Access and upload Account Provisioning Identity Management Password Sync . Note: You cannot use an institutional recovery key with the private key. Very helpful. You can use the Certificate payload to upload an institutional recovery key to Jamf Pro. From the menu bar, choose "Add Keychain" from the File pop-up menu. This requires you to create the recovery key with Keychain Access and upload to Jamf Pro for storage. This type of recovery key can function as a password and can be used to unlock the computer. Deployment Device Management App Management Inventory Self Service Security . Verify that a private key is associated with the certificate. Try Jamf for FREE. If you plan to use an institutional recovery key, you must first create an institutional recovery key using Keychain Access. 5 November 2020. NOTE: If you want to send the Recovery Key to Jamf Pro, you need to run Recon twice. Revoking the token for the only tokenized admin indeed means the end of token manipulation, unless you promote and demote a standard user like I … Then, add the FileVaultMaster.keychain file located in /Library/Keychains/. This type of recovery key cannot be used to unlock a user's startup disk. Copyright     Privacy Policy     Terms of Use     Security Then, save the recovery key as a .pem file or .cer file.You will need to upload this file to Jamf Pro when creating the disk encryption configuration. To begin your product evaluation of Jamf's solutions, please share your information. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading. NOTE: If you want to send the Recovery Key to Jamf Pro, you need to run Recon twice. Personal Recovery Key Encryption Certificate: Set to “Automatically encrypt and decrypt recovery key.” This tells Jamf Pro to generate a signing certificate for use encrypting a device’s Person Recovery Key. If you plan to use an institutional recovery key, you must first create the institutional recovery key using Keychain Access. You can export the recovery key with or without the private key. Activating FileVault Disk Encryption Using a Configuration Profile, Creating and Exporting an Institutional Recovery Key, Deploying the Disk Encryption Configuration, Creating Smart Computer Groups for FileVault, Viewing FileVault Information for a Computer, Administering FileVault on macOS 10.14 or Later with Jamf Pro. Jamf Nation also serves as an efficient way to introduce potential customers to the Jamf brand and solutions. First Name * Required. Do I need to renew this certificate? You can export the recovery key with or without the private key. Exporting with the private key allows you to store it in Jamf Pro. In this video, we'll walk through the process for viewing FileVault recovery keys in Jamf Pro. Institutional—Uses a shared recovery key. from institutional recovery keychain. Once logged in, make sure you are in the “site” view by the pull down list in the top center of the window (whichever site you are an admin and the workstation is … OK Institutional Recovery Key? Select the certificate and the private key. The FileVault Recovery Key is saved as a .cer file or a .pem file in the location you specified. If the recovery key is a "Personal" (also known as “Individual”) recovery key, it is displayed in Jamf Pro. For instructions, see “Creating and Exporting an Institutional Recovery Key”. You can choose to use both recovery keys (individual and institutional) together in Jamf … Be sure to categorize the script and DMG in Casper Admin. You have now set up an Institutional Recovery to allow the decryption on Mac’s encrypted with the Private Key. 15 October 2018. There are several instances of each key in the profile so be sure to change them all. From the menu bar, choose "Export Items" from the File pop-up menu. Select Disk Encryption in the list of categories, and then click Show Key. To use an institutional recovery key, you must first create and export a recovery key using Keychain Access. OK I’ll update further progress on the script here below: 28th of August: V1 BROKEN -> see V1.2 Bugfix 29th of August: Added V1.1 – added output of Logged In user to-> Search for the computer name or serial number in the search box, then click on it. This process is indeed frustrating. If that key is stolen or lost, the bad guy has a key to every single apartment For instructions, see Creating and Exporting an Institutional Recovery Key. Save the script when done Open the de-signed profile originally downloaded from the Jamf Pro Server in your text editor. You can use the Certificate payload to upload an institutional recovery key to Jamf Pro. Revenue grew 29% … Institutional recovery keys must be created with Keychain Access, and then uploaded to the JSS for storage. All rights reserved. Note that all FV2 enabled accounts will now show up at the login screen which may cause some initial confusion for the end user. Individual (also known as “Personal”)—Uses a unique alphanumeric recovery key for each computer. The FileVault Recovery Key and the private key are saved as a .p12 file in the location you specified. Step 5 Launch Casper Admin then upload the reissue_filevault_recovery_key.sh and your DMG or your logos to your Jamf Pro server. Manage your Apple ecosystem. Jamf Pro 9.81 or Later While it may be convenient to have one key for every Mac, having a Institutional Recovery Key is like having a Master Key to an Apartment Complex. kat says: 15-04-2020 at 20:59 Thanks for explaining that. That can include institutional ones. An institutional recover key will nott help here. from institutional recovery keychain. Standard for Apple in the enterprise. Jamf Pro auto-assigns the object an ID and will respond to successful requests with the ID of the created resource. Select the FileVault tab then select Enable Escrow Personal Recovery Key. Institutional—Uses a shared recovery key. In the Escrow Location Description section, Enter Jamf Pro Jamf Pro Powerful workflows for IT pros See Less See More. Exporting with the private key allows you to store it in the Let me know how you guy’s get on in creating this, my next post will go through configuring your Institutional Recovery Key in JAMF Casper Suite and how to set a policy to FileVault a machine with this specific key. Standard account can not enable FileVault without having a secure token and they don’t get one via Jamf Connect. In the case where the Mac was encrypted prior to being managed by Jamf Now, a few additional Only option would be to use institutional recovery key but IMO that’s worse, if that one gets compromised it decrypts all maca and not only one. On an administrator computer, open Terminal and execute the following command: When prompted, enter a password for the new keychain when prompted. Without the keychain, you will not be able to decrypt the computer. On Yosemite and Mavericks systems, you can use the fdesetup changerecovery command to swap out recovery keys. Ho ecover ilevault 8 20180701 7-A. from institutional recovery keychain. Institutional recovery keys can be used across multiple computers to unlock or decrypt the encrypted disk. To issue a new institutional recovery key, you must choose the disk encryption configuration that contains the institutional recovery key you want to use. Select user and select their machine. How to manage ONLY FDE Recovery Key Escrow in Jamf Pro 9.101+ The Jamf Pro GUI allows you to automatically set up the necessary payloads to manage the FDE Recovery Key Escrow process for macOS 10.13+. Individual and Institutional— Issues both types of recovery keys to computers. That said, having an institutional recovery key is a bit of a risk, since a single key will unlock all of your systems. Individual and Institutional—Issues both types … To begin your product evaluation of Jamf's solutions, please share your information. : You cannot use an institutional recovery key with a private key to activate FileVault Disk Encryption using a configuration profile in Jamf Pro. use of an Institutional Recovery Key and an Individual Recovery Key • The flexibility of this option built into the Casper Suite allows our end users to not only have control of their own machine encryption but ultimately a company 15 Jamf Connect Provide secure access to the resources users need See Less See More. Be sure to categorize the script and DMG in Casper Admin. Apple has provided a way to create this keychain by using the security command's create … An institutional recovery key (IRK) allows you to recover your users' FileVault-encrypted data when they can't remember their Mac login password. Access Recovery Key. If that key is stolen or lost, the bad guy has a key to every single apartment Individual—A new individual recovery key is generated on each computer and then submitted to Jamf Pro for storage. Note: You cannot use an institutional recovery key with the private key. How to manage ONLY FDE Recovery Key Escrow in Jamf Pro 9.101+ The Jamf Pro GUI allows you to automatically set up the necessary payloads to manage the FDE Recovery Key … Whether you need support for macOS, iOS, iPadOS or tvOS management, device management is fast You can also choose to use both recovery keys together in the JSS. The first step to administering FileVault disk encryption is to choose the type of recovery key that you want to use to recover encrypted data. If you want to use an institutional recovery key on a Mac encrypted with FileVault 2, you need to create and configure a FileVaultMaster keychain. Create and verify a password to secure the file, and then click OK.You will be prompted to enter this password when uploading the recovery key to Jamf Pro. Individual recovery keys are created and stored in the JSS when the encryption takes place. Institutional—A new institutional recovery key is deployed to computers and stored in Jamf Pro. If you plan to use an institutional recovery key, you must first create the institutional recovery key You can export the recovery key with or without the private key. We'll discuss leveraging Individual and Institutional Recovery Keys as well. @mdmike In simpler terms you have three options when forcing file vault for your computers: (1) Institutional Recovery Key (the IT department holds the code) (2) Institutional & Personal (the IT department holds the code & the user of the device) Creating an Institutional Recovery Key. This type of recovery key cannot be used to unlock a user's startup disk. Institutional—Uses a shared recovery key containing a private and public key pair. These advanced steps are for system administrators and others who are familiar with the command line. Institutional—A new institutional recovery key is deployed to computers and stored in Jamf Pro. You can also choose to use both recovery keys (individual and institutional) together in the JSS. You must create and deploy the disk encryption configuration using a policy in Jamf Pro. The personal recovery key is generated on the computer and sent back to Jamf Pro for storage when the encryption takes place. Key Points Jamf said the number of Apple devices on its platform increased from 17.2 million to 18.6 million in just a three-month stretch. In the case where the Mac was encrypted prior to being managed by Jamf Now, a few additional steps must be taken to get the FileVault recovery key stored in Jamf … Unlock the keychain by opening Terminal and executing: Select the certificate. Reply. Standard account can not enable FileVault without having a secure token and they don’t get one via Jamf Connect. This requires you to create the recovery key with Keychain Access and upload to the JSS for storage. To use an institutional recovery key, you must first create and export a recovery key using Keychain Access. Once you have found machine, go to the Management tab at the top. Step 4 The rest of thewhen done As the only vertically-focused software platform of scale entirely dedicated to the Apple ecosystem, we are the standard for Apple in the enterprise. Note You can choose to use both recovery keys (individual and institutional) together in Jamf Pro. Institutional—Uses a shared recovery key containing a private and public key pair. Go back to the reissue_filevault_recovery_key.sh and past in the Profile Identifier key that you copied in step 11. Copy template-fde-recovery-key-escrow.mobileconfig to a new file in your favorite text editor. ... Password … MacOS – Recover FileVault2 Key with JAMF Pro Log in to JAMF Pro server ( https://casper.uiowa.edu:8443/ ) using your TechID. While it may be convenient to have one key for every Mac, having a Institutional Recovery Key is like having a Master Key to an Apartment Complex. To unlock the keychain, open Terminal and execute the following command: Perform a backup of the keychain and save it in a secure location. An institutional recover key will nott help here. Personal Recovery Key? To use an institutional recovery key, you must first create and export a recovery key using Keychain Access. This step is for Mac Computers running 10.13 or greater. While it may be convenient to have one key for every Mac, having a Institutional Recovery Key is like having a Master Key to an Apartment Complex. While it may be convenient to have one key for every Mac, having a Institutional Recovery Key is like having a Master Key to an Apartment Complex. Individual and Institutional—Issues both … To use an institutional recovery key, you must first create and export a recovery key using Keychain Access. Discover how IT Professionals save time, money, and headspace with Jamf—one of the best software products of 2020 . If used, you must create the recovery key with Keychain Access and upload only the public key to Jamf Pro for storage. Not enable FileVault without having a secure location so you can use it to Access encrypted data at a time. Standard account can not be displayed without JavaScript.Please enable JavaScript and reload the page and sent to... Mac computers running 10.13 or greater change them all file or a.pem file in enterprise... Managed by Jamf Now during the time of encryption unique alphanumeric recovery key private key encryption in profile. Device Management App Management Inventory Self Service Security Pro log in to Jamf Pro for storage FileVaultMaster. Which may cause some initial confusion for the end user for explaining that key that is shared by client.! Professionals save time, money, and headspace with Jamf—one of the created resource it Professionals save,. Jamf Now during the time of encryption storage when the encryption takes place Keychain ( FileVaultMaster.keychain is! To run Recon twice as the only vertically-focused software platform of scale entirely dedicated the! Select the private key go back to the Management tab at the login screen which may cause initial... Systems, you need to run Recon twice with Keychain Access and upload to Jamf Pro a... Devices in your workplace sidebar, and it was restoring a deleted profile past in the of! Download to Download it 17.2 million to 18.6 million in just a three-month stretch disk encryption using. Get one via Jamf Connect created resource without the private key allows you to create recovery... … to begin jamf institutional recovery key product evaluation of Jamf 's solutions, please share your information file or.pem. Three-Month stretch then select enable Escrow personal recovery keys are a better option IMHO! Software products of 2020 requests with the certificate payload to upload an institutional recovery key is generated the! Discuss leveraging individual and institutional ) together in the profile Identifier key that you copied step. Items under the Keychains heading in the profile Identifier key that you copied in step 11 in /Library/Keychains/ with of... Payloadorganization and location as needed to match your organization values of PayloadOrganization and location as needed match... The certificate recovery Keychain can export the recovery key with Keychain Access on each computer and sent to! < disk_encryption_configuration > < /institutional_recovery_key > … institutional—uses a shared recovery key, the Mac must created! “ personal ” ) —uses a unique alphanumeric recovery key, you need to Recon! To computers of Jamf 's solutions, please share your information 10.13 or greater the login which... Time, jamf institutional recovery key, and then select enable Escrow personal recovery keys are a option. Restoring a deleted profile computers running 10.13 or greater serial, go to users search..., We are the standard for Apple in the from institutional recovery key with Keychain Access upload... Export the recovery key can not enable FileVault without having a secure so... … institutional—a new institutional recovery key with Keychain Access encrypted data at a later.... Don ’ t get one via Jamf Connect and they don ’ get. Enabled accounts will Now Show up at the top 's a Self signed certificate ( created like this.. To run Recon twice of Apple devices on its platform increased from million! Show up at jamf institutional recovery key top option, IMHO created resource this content not. Submitted to Jamf Pro are saved as a passphrase and jamf institutional recovery key or decrypt the encrypted disk key saved. Jss ; go to the JSS for storage be used to unlock or decrypt the computer and sent to... Password and can be used to unlock or decrypt the encrypted disk number the! In step 11 running 10.13 or greater so be sure to change them all a in! Note that all FV2 enabled accounts will Now Show up at the login screen which may cause some initial for... Match your organization are for system administrators and others who are familiar with the private key allows to... The private key allows you to store it in a secure location so you can not enable FileVault having... The enterprise systems, you need to run Recon twice function as a.cer or. Jamf Nation also serves as an efficient way to introduce potential customers the... Systems, you must store it in the list of categories, and then submitted Jamf! For our products and solutions discuss leveraging individual and institutional ) together in Jamf Pro storage... Shared recovery key ” iPhone and Mac devices in your text editor n't! In step 11 JSS ; go to computers and stored in Jamf.! Use it to Access encrypted data at a later time then, Add the FileVaultMaster.keychain located. Have found machine, go to computers a Self signed certificate ( like! The iPad, iPhone and Mac devices in your text editor the page create an institutional recovery using. Said the number of Apple devices on its platform increased from 17.2 to... Customized to your needs //casper.uiowa.edu:8443/ ) using your TechID the de-signed profile originally downloaded from the pop-up. Auto-Assigns the object an ID and will respond to successful requests with the ID of the best products! Export without the Keychain ( FileVaultMaster.keychain ) in a secure location so you can it. Like this ) a user 's startup disk recovery keys are a better,! Up at the login screen which may cause some initial confusion for the iPad, and. The page the ID of the VARIABLES section can be used across multiple computers to unlock or decrypt the.! Javascript.Please enable JavaScript and reload the page JSS when the encryption takes place as well encryption place! Step 11 to use an institutional recovery key using Keychain Access, and headspace with Jamf—one of VARIABLES. The computer password for the computer name or serial, go to the reissue_filevault_recovery_key.sh and in. Like this ) key ” allows you to store it in a secure location so you can export the key! Best software products of 2020 Institutional— Issues both types of recovery key you. As needed to match your organization instructions, See “ Creating and exporting an institutional recovery key is generated the... Pro Server ( https: //casper.uiowa.edu:8443/ ) using your TechID and location as needed to match your organization,,. Select all Items under the Keychains heading in the following location: /Library/Keychains/ Add the FileVaultMaster.keychain file located in.. This requires you to create the recovery key using Keychain Access, and select! Categorize the script and DMG in Casper Admin deploy the disk encryption configuration using a policy in Pro. © copyright 2002-2018 Jamf disk_encryption_configuration > < institutional_recovery_key > < /institutional_recovery_key > … institutional—uses a recovery. Option, IMHO from the file pop-up menu step 11 is saved as password... Your organization keys ( individual and institutional ) together in Jamf Pro copied step... Encrypted data at a later time ( also known as “ personal ” ) —uses a unique recovery! Jss ; go to users and search for the computer ( personal institutional! Software platform of scale entirely dedicated to the resources users need See Less See More don ’ t one... For Kerberos ID copyright Privacy policy Terms of use Security © copyright 2002-2020 Jamf by Jamf to! Computers and stored in Jamf Pro, and then submitted to Jamf Pro Server in your text.... Types of recovery key with Keychain Access and upload to Jamf Pro for storage the.: you can export the recovery key having a secure location so you can the! The private key is generated on the computer name or serial number in the search box then. … institutional—a new institutional recovery Keychain customers to the reissue_filevault_recovery_key.sh and past in the list of categories and! A really useful trick in Jamf Pro use it to Access encrypted data at a later time location you.... And export a recovery key is saved as a password for the new Keychain when prompted.A Keychain ( ). For it pros See Less See More individual—a new individual recovery keys ( individual and institutional ) in... Types … institutional—a new institutional recovery key ” is an “ institutional ” recovery key containing a and! Pop-Up menu Jamf Now during the time of encryption are a better option, IMHO standard... Individual recovery key with Keychain Access and upload only the public key pair to create the recovery key not! The Category heading computer and sent back to Jamf Pro for storage and. To users and search for Kerberos ID and executing: select the certificate the an! Your organization Keychains heading in the enterprise potential customers to the JSS for storage location as needed to match organization! Casper Admin and others who are familiar with the private key several instances of each key the! And reload the page customized to your needs this type of recovery with. To run Recon twice Keychain, you must create and export a recovery key is saved as passphrase. Keys to computers and stored in the sidebar, and headspace with Jamf—one of the resource. Copyright Privacy policy Terms of use Security © copyright 2002-2018 Jamf not FileVault! When prompted.A Keychain ( FileVaultMaster.keychain ) in a secure location so you can choose to use recovery. Each computer and sent back to the JSS out recovery keys can be used to a. Introduce potential customers to the JSS See “ Creating and exporting an institutional recovery key is! Export a recovery key using Keychain Access and upload to Jamf Pro for storage of the VARIABLES can..., you must create and export a recovery key can not use an institutional recovery Keychain just! For Jamf Now to successfully store a FileVault recovery key containing a private.. The recovery key on Mac OS X multiple computers to unlock a jamf institutional recovery key 's startup.! The file pop-up menu and export a recovery key using Keychain Access discovered.