With the rapidly evolving digital landscape, organizations are increasingly turning to Microsoft Intune as their preferred MDM (Mobile Device Management) provider and working on migrating devices from existing MDM solutions to Microsoft Intune.
Migrating device management from one MDM Provider to Microsoft Intune requires several configurations - more details can be found in this article. In this blog, we are going to take a closer look at MacOS device migration from JAMF to Intune, with focus on FileVault key escrow feature.
Migrating MacOS devices from JAMF to Intune involves several steps to ensure smooth transition of the device to Intune and minimizing the impact of productivity. During this process, one of the biggest challenges is getting FileVault recovery keys escrowed back to Intune. We will be focusing on steps which we took to escrow the personal FileVault recovery key to Intune. The specifics of your migration may vary depending on your organization's requirements and the complexity of your existing setup. It is recommended to thoroughly plan and test each step to minimize disruption during the migration process.
There are two main scenarios in which the FileVault key storage process can be categorized:
From this point on, we will be focusing on the 2nd scenario.
The following error message will be shown for the FileVault setting in Intune policy reporting, if FileVault was enabled before Intune enrollment. Intune requires FileVault ownership to apply the “Enable FileVault” setting successfully:
There are multiple ways in which FileVault management can be assumed by Intune. In our implementation, we chose options 2 and 3 from below because they do not require decryption and re-encryption of the drives. Re-encryption adds additional complexity as it will expose user data during this process and consume more time to complete migration. Also, regardless of the option, the steps outlined must be executed by the user who initially enabled FileVault:
https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh
or
Once the user executes the application, the device generates a new personal recovery key, Intune assumes management of FileVault encryption on next Intune check-in, and users can see the recovery key in the Company Portal website.
Hopefully, this helps you understand the various methods to escrow FileVault recovery key to Intune.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.