Filevault Personal Recovery key escrow

Building a reputation

Filevault Personal Recovery key escrow

@Melissa Do you have any insight on updated documentation for the new FileVault personal key escrow payload?


The FV2 personal key escrow is a separate payload from the "standard" filevault settings, and there's a required field that's essentially a black hole b/c I can't find any info on finding or generating the requested certificate.


Right now I created a test Filevault payload that only enforces a personal recovery key and pushed to a single Mac client so that I can try and pull the mobileconfig/plist apart using the suggestions on this page to get the cert:


Would be nice if the dropdown menu on this payload was pre-filled with my existing FileVault profile, or a quick template that has Meraki auto-generating the required cert for me...


Screen Shot 2018-04-25 at 2.54.05 PM.png       Screen Shot 2018-04-25 at 2.53.43 PM.png

Meraki Alumni (Retired)

Hi @sshort! We should have a new guide on this configuration setting posted soon on our Documentation site. I'll post a link to it in the Community asap!



Building a reputation

Ok, there's some updated documentation on FileVault escrow but you need to "fill-in-the-blank" by generating your own public/private ssl cert to upload to Meraki. Also: as noted in Meraki's documentation this will not work on existing deployments. Newly enrolled devices (or freshly re-imaged Macs) will be able to take advantage of the escrowed keys. The escrow payload must be installed before (or simultaneously) with a separate FV personal + institutional key payload for this to work.


 Generate the public key certificate in Terminal using openssl:


OR this site (scroll down to the create SSL section):


I just did the same, in the documentation, it was missing to either do a self-signed certificate or use a CSR to your own CA authority. It worked great!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.