Filevault Recovery Key "Escrow Profile" no longer deployable


Filevault Recovery Key "Escrow Profile" no longer deployable

Has any one run into an issue where one is unable to deploy their filevault escrow profile any longer ? I am getting the following error when trying to run this payload.



Created this profile with the following guide from Meraki -


I just notice it stopped working today. Tried another self sign certificate (CRT) however I got the same result. Both machine I tried deploying the profile too was on 13.5.1  

Kind of a big deal
Kind of a big deal

I think you need to talk to support on this one. 

A model citizen

…And, with baited breath, what was the resolution to this? Asking for a friend.

Came across this same issue on macOS version 13.5.1 and above. Worked with support and did some additional testing and came to a consistent solution/fix.


Following the steps for creating the escrow recovery certificate, if you don't have the previous private key and public pem pairing. Make the output certificate file .der rather than a .crt then rotate out the certificate and profiles accordingly.


You will have to decrypt and re-encrypt your devices after it's pushed for the FileVault key to be successfully escrowed, but could run some FDE terminal commands or script to do this without having to interact with the end users.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.