With the rapidly evolving digital landscape, organizations are increasingly turning to Microsoft Intune as their preferred MDM (Mobile Device Management) provider and working on migrating devices from existing MDM solutions to Microsoft Intune.
Migrating device management from one MDM Provider to Microsoft Intune requires several configurations - more details can be found in this article. In this blog, we are going to take a closer look at MacOS device migration from JAMF to Intune, with focus on FileVault key escrow feature.
Migrating MacOS devices from JAMF to Intune involves several steps to ensure smooth transition of the device to Intune and minimizing the impact of productivity. During this process, one of the biggest challenges is getting FileVault recovery keys escrowed back to Intune. We will be focusing on steps which we took to escrow the personal FileVault recovery key to Intune. The specifics of your migration may vary depending on your organization's requirements and the complexity of your existing setup. It is recommended to thoroughly plan and test each step to minimize disruption during the migration process.
There are two main scenarios in which the FileVault key storage process can be categorized:
- Device was not FileVault enabled before Intune enrollment (FileVault enabled via Intune policy after enrollment)
- Devices marked as “Personal”: Recovery key can only be seen by the user via the Company Portal Website
- Devices marked as “Corporate”: Recovery key can be seen by IT (information technology) administrators in addition to owner of the device
- Device was FileVault enabled before Intune enrollment:
- In this case, the FileVault recovery key is not managed, and Intune is unable to escrow. It is most likely that the recovery key was stored in iCloud.
From this point on, we will be focusing on the 2nd scenario.
The following error message will be shown for the FileVault setting in Intune policy reporting, if FileVault was enabled before Intune enrollment. Intune requires FileVault ownership to apply the “Enable FileVault” setting successfully:
There are multiple ways in which FileVault management can be assumed by Intune. In our implementation, we chose options 2 and 3 from below because they do not require decryption and re-encryption of the drives. Re-encryption adds additional complexity as it will expose user data during this process and consume more time to complete migration. Also, regardless of the option, the steps outlined must be executed by the user who initially enabled FileVault:
- From MacOS GUI (graphical user interfaces): From GUI, there is no option to just refresh the recovery key, so it is required to decrypt the device and re-encrypt the device.
- On the device, choose Apple menu > System Settings, click Privacy & Security in the sidebar, then click FileVault on the right. (You may need to scroll down.)
- Turn off FileVault and turn it back on
- Device sync
- Terminal commands to refresh the recovery key
- Users need to launch the Terminal app on the device.
- Run “sudo fdesetup changerecovery -personal”
- You will be prompted to enter device admin credentials.
- IT Admin generated script/app: Sample scripts can be found at below locations, and these scripts can be customized and deployed as an app.
https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh
or
- Deploy FileVault key refresh script as Application from JAMF
- Unenroll the device from JAMF
- Enroll device to Intune
- Deploy FileVault policy from Intune
- Run the key refresh script (which deployed previously) from application applet
Once the user executes the application, the device generates a new personal recovery key, Intune assumes management of FileVault encryption on next Intune check-in, and users can see the recovery key in the Company Portal website.
Hopefully, this helps you understand the various methods to escrow FileVault recovery key to Intune.