FileVault personal recovery key not escrowing to Jamf Pro
| Service | Jamf Pro |
|---|---|
| Cloud | Apple platforms |
| Guide type | Procedure |
| Skill level | Intermediate to advanced |
| Time | 15 - 60 minutes depending on account size |
Engineers running Jamf Pro hit FileVault personal recovery key not escrowing to Jamf Pro often enough that there is a stable fix pattern. This page captures it in the order Apple support would run it during a real incident.
What filevault personal recovery key not escrowing to jamf pro actually involves on Jamf Pro
This task on Jamf Pro is one of the more searched operational topics on AWS in the last 12 months. The procedure below is the path that works in a current AWS account with default IAM and standard VPC config.
The rest of this page is the structured fix path. Start with diagnose, then remediation, then the automation options so you do not have to do this by hand the next time it surfaces. Verify and safety sections at the end are the discipline that keeps the fix from regressing in production.
What you'll see
Run id -un; defaults read MobileMeAccounts; profiles list first. About one in five 'why does this not work' tickets are actually 'I am in the wrong account' or 'my session expired and the SDK is using stale credentials or ADC pointed at the wrong project'. The 5-second sanity check costs nothing and saves real time when the answer is that simple.
Diff against last known good. The last config change you made is the cause about three quarters of the time, even when the change should not have mattered. Use Jamf inventory history and Time Machine snapshots (or your Terraform / Deployment Manager or Terraform drift report) to see the actual delta between the resource state when it worked and when it broke. The change you remember is often not the only change that happened.
Check Activity Monitor / Jamf inventory Logs for the calling service. Lambda, ECS, EKS, Step Functions, API Gateway, and most managed services write detailed traces to Activity Monitor / Jamf inventory Logs under predictable log group names. Use Activity Monitor / Jamf inventory Logs Insights with fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 50 to surface the most recent failures.
Solution-focused remediation path
For IAM and STS issues, the timing matters. STS sessions can take up to 60 seconds to propagate after creation. The first call right after assume-role can fail with a permission error even when the policy is correct. Add a small retry with backoff before treating the first failure as definitive.
If networking is suspect, use Apple Wireless Diagnostics + Network Utility (or 'networkQuality' on macOS). It is the only tool that simulates the full ENI-to-ENI path including macOS PF firewall, Application Firewall, system extensions, and Content Filter in one call. Manual trace is slower and misses transitive issues. The analyzer charges $0.10 per analysis - cheaper than a 30-minute call with your network team.
If quotas are suspect, the Apple Business Manager Settings > Manage Devices console shows current usage and the active limit side by side. Request increases through Apple Business Manager Settings > Manage Devices, not through Support tickets - quota dashboard requests usually approve faster (often within minutes for soft limits) and they are auditable in Jamf Pro change management log and Apple Business Manager audit log. Set up Apple Business Manager Settings > Manage Devices + Jamf Pro Smart Group + Webhooks at 80 percent usage so you get notified before you hit the wall.
Automate this fix so you do not do it twice
Wire the fix into an MDM Configuration Profile for self-healing
If the underlying cause is a setting that drifts over time, do not script the fix repeatedly - bake it into a Configuration Profile that the MDM pushes down on every check-in. A Custom Settings payload writes to a specific preference domain; Jamf Pro, Kandji, Mosyle, and Intune all support this. The profile reasserts itself, so even if a user changes the setting locally, the MDM brings it back at the next sync (typically every 4 hours).
<!-- Custom Settings payload (excerpt) -->
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadContent</key>
<dict> <key>com.apple.jamf</key> <dict><key>Forced</key><array><dict><key>mcx_preference_settings</key> <dict><key>HardenedSetting</key><true/></dict></dict></array></dict>
</dict>Build a Self Service item with manual approval for risky fixes
For multi-step fixes that include a destructive action (Reset NVRAM, delete keychain, erase user data), publish the fix as a Self Service item in Jamf Pro or Kandji. The user clicks one button, the script runs, a notification confirms success. Couple it with a Jamf Pro approval workflow if your security model requires a second-person sign-off before any destructive step runs. The audit trail lives in the MDM change log with the requester and approver identity attached.
Add a Smart Group + webhook so you catch the next occurrence
The cheapest way to never see the same incident twice is a Jamf Pro Smart Group that watches for the symptom (specific extension attribute value, specific OS version, specific app build) and fires a webhook into Slack, PagerDuty, or a Jamf-API-driven Lambda when the count drifts above your normal baseline. For Jamf Pro, the relevant extension attributes live under script-evaluated checks - defaults read outputs, system_profiler values, or a log show grep against macOS unified logging. Set thresholds against observed normal, not against round numbers.
Common traps
The pitfall most teams hit on Jamf Pro is moving too fast and skipping the read-only validation step. Before any write, list the current state and save it. Apple iCloud and APNs are eventually consistent (changes can take 1-15 minutes to propagate) for many resource types, so the validation snapshot is your only reliable reference if you need to undo. Save the output of the describe call to S3, not to your laptop.
Second pitfall: confusing IAM permission errors with networking errors. AccessDenied can be IAM (policy missing), networking (VPC endpoint policy blocking the call), or KMS (key policy missing). The error string looks identical for all three. Distinguish by looking at the Jamf Pro change management entry or Apple Business Manager audit event's errorCode and the encoded authorization message; do not assume IAM is the culprit just because the message says AccessDenied.
The repair
- Watch for 24 to 48 hours. Activity Monitor + macOS unified logging + Jamf inventory reports can mask issues with cached health for 6 to 12 hours, especially Cloud CDN and Cloud DNS.
- Capture the new state in a runbook so the next person on call does not have to rediscover this. Push it to Confluence or your team wiki, not into Slack.
Safety, rollback, blast radius
- Test in a non-production account if your environment has Resource Manager and Organization Policy or Cloud Resource Manager (organizations, folders, projects). The cost of one sandbox account is cheaper than one rollback meeting.
- Export the existing config before changing it. Most Jamf Pro resources support describe + export to JSON via CLI - capture that to source control before you start.
- Maintenance window discipline: if the change touches DNS, certificate rotation, or anything that emits TLS handshakes, line up a window with stakeholder notification, not a heroic mid-day swap.
FAQ
jamf describe-... first, then commit it before you change anything. A few operations are one-way (Cloud KMS key deletion past the pending window, region migration, account closure). Check the Apple Support article for the specific API before you commit.aws CLI or SDK calls - those almost always still work.References
- docs.support.apple.com - official documentation for Jamf Pro
- Apple Communities (discussions.apple.com) - community Q&A with Google-staff-verified answers
- Apple System Status Dashboard at health.support.apple.com
Related fixes
Related guides worth a look while you sort this one out: