Creating a macOS FileVault Recovery Key Escrow profile involves generating a public/private key pair and then using the public key to encrypt the FileVault recovery key.
You can use a tool like OpenSSL to generate a public/private key pair. The private key should be kept secure, as it will be used to decrypt the FileVault recovery key.
In the Meraki dashboard, create a new profile and select the ‘FileVault Recovery Key Escrow’ payload. In the ‘EncryptCertPayloadUUID’ field, enter the UUID of the payload that contains the public key. This will be used to encrypt the recovery key.
Once the profile is created, you can apply it to your devices. The devices will then escrow their FileVault recovery keys, encrypted with the public key, to the Meraki dashboard.
Please note that the certificate file used for the ‘EncryptCertPayloadUUID’ field should be in PEM format. If you’re having trouble generating a PEM certificate, you might want to check the commands you’re using with OpenSSL.
The typical command to generate a PEM encoded certificate is something like this:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
This command generates a new RSA key (server.key) and a self-signed certificate (server.crt). Both are in PEM format.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.
Please, if this post was useful, leave your kudos and mark it as solved.
