https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428155#M11331 <P>It sounds like System manager isn't able to access the Fault vault recovery key because the payload is corrupted or something has gone wrong when the device uploaded the payload to systems manager. </P><P>Is the MDM certificate on the device still valid or has it expired? </P> Wed, 08 Nov 2023 21:44:53 GMT BlakeRichardson 2023-11-08T21:44:53Z https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428154#M11330 <P>What does this mean? <STRONG>The encryption certificate referenced by the FileVault Recovery Key Escrow payload is invalid or does not support encryption.</STRONG></P> Wed, 08 Nov 2023 21:10:56 GMT https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428154#M11330 pedrocallrail 2023-11-08T21:10:56Z https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428155#M11331 <P>It sounds like System manager isn't able to access the Fault vault recovery key because the payload is corrupted or something has gone wrong when the device uploaded the payload to systems manager. </P><P>Is the MDM certificate on the device still valid or has it expired? </P> Wed, 08 Nov 2023 21:44:53 GMT https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428155#M11331 BlakeRichardson 2023-11-08T21:44:53Z https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428156#M11332 <P><A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/99577">@pedrocallrail</A> Can you take us through the flow you use to create the certificate, and which type of FileVault profile you are using?</P> Fri, 10 Nov 2023 12:42:18 GMT https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428156#M11332 Arthur Dent 2023-11-10T12:42:18Z https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428157#M11333 <P>I'm following: <A href="https://documentation.meraki.com/SM/Other_Topics/Creating_a_Public%2F%2FPrivate_Certificate_Pair" target="_blank" rel="noopener nofollow noreferrer">https://documentation.meraki.com/SM/Other_Topics/Creating_a_Public%2F%2FPrivate_Certificate_Pair</A> and <A href="https://documentation.meraki.com/SM/Profiles_and_Settings/Using_File_Vault_2" target="_blank" rel="noopener nofollow noreferrer">https://documentation.meraki.com/SM/Profiles_and_Settings/Using_File_Vault_2</A> It is not providing a .pem certificate. I am trying to create a :</P><H1 id="toc-hId-1842172098"><SPAN class="">macOS FileVault Recovery Key Escrow profile</SPAN></H1> Tue, 14 Nov 2023 20:24:33 GMT https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428157#M11333 pedrocallrail 2023-11-14T20:24:33Z https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428158#M11334 <P>Creating a macOS FileVault Recovery Key Escrow profile involves generating a public/private key pair and then using the public key to encrypt the FileVault recovery key.</P><P>You can use a tool like OpenSSL to generate a public/private key pair. The private key should be kept secure, as it will be used to decrypt the FileVault recovery key.</P><P>In the Meraki dashboard, create a new profile and select the ‘FileVault Recovery Key Escrow’ payload. In the ‘<STRONG>EncryptCertPayloadUUID</STRONG>’ field, enter the UUID of the payload that contains the public key. This will be used to encrypt the recovery key.</P><P>Once the profile is created, you can apply it to your devices. The devices will then escrow their FileVault recovery keys, encrypted with the public key, to the Meraki dashboard.</P><P>Please note that the certificate file used for the ‘<STRONG>EncryptCertPayloadUUID</STRONG>’ field should be in PEM format. If you’re having trouble generating a PEM certificate, you might want to check the commands you’re using with OpenSSL.</P><P>The typical command to generate a PEM encoded certificate is something like this:</P><P><EM><STRONG>openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt</STRONG></EM></P><P>This command generates a new RSA key (<EM><STRONG>server.key</STRONG></EM>) and a self-signed certificate (<EM><STRONG>server.crt</STRONG></EM>). Both are in PEM format.</P> Thu, 07 Dec 2023 19:30:51 GMT https://community.cisco.com/t5/endpoint-security/encryption/m-p/5428158#M11334 aleabrahao 2023-12-07T19:30:51Z