[johana Participant 4 January 2022 johana Participant]

Why do you have to run this command when the device is already enrolled in Hexnode? I doubt.

[Luuk Participant 4 January 2022 Luuk Participant]

We have provisioned a few Mac devices months back. But, don’t know what happened. This one is unable to check in with Hexnode for a while.

I saw a few posts on resetting the dep cache using the sudo profiles renew -type enrollment command. So I tried it. Yet, it initiated the enrollment as a new device instead of re-enrolling it in the portal.

That’s however not a big deal! What frustrates me the most is, I had the filevault policy associated with the device earlier. As such, the decryption key was obtainable from the portal. Since the device is now enrolled as a new one, I cant find any decryption key shown in its device summary.

[johana Participant 4 January 2022 johana Participant]

Okay. As far as I know, this command is used for initiating DEP enrollment from the terminal. It automatically installs the profile for the mdm server associated with it in the ABM account. If the device already has a profile installed on it I’m not sure if you can re-enroll the device using it.

[Luuk Participant 4 January 2022 Luuk Participant]

@johana Sorry about that! That’s how I did it! I am pretty sure the profile was still there on the device when I ran it.

Does anyone know a way of generating the decryption key for my device?

[Catherine Hexnode 4 January 2022 Catherine Keymaster]

Hi @luuk:

I suppose, before re-enrolling a device, you may have to re-check the Re-enrollment Options applied to it.

1. Log in to the Hexnode portal.
2. Navigate to Enroll > Settings > Re-enrollment Options.
3. Check for the option you have enabled on Device Status.

When Enroll as a new device is enabled, an already enrolled device gets re-enrolled as a new one.

The command sudo profiles renew -type enrollment triggers enrollment on a device added to your organization’s DEP account. But, if the above option remains selected on Hexnode, it is disenrolled and is added as a newly enrolled device. Resultantly, the older FileVault configurations for the device do not reflect on the portal.

Currently, there will be two enrollment instances for the device, one as a disenrolled and the other as enrolled. You may fetch the FileVault Personal Recovery key for the disenrolled instance from the Reports tab. Among the Disenrolled devices (Reports > Device Reports > Disenrolled devices), search the device using its Serial Number. Click on the edit column icon to include the FileVault Personal Recovery Key. And, you can view it from there.

Catherine George

Hexnode UEM

[Anaya Participant 4 January 2022 Anaya Participant]

A bit doubtful about that. @luuk had a FileVault policy associated with the device from Hexnode. What if I have a device already encrypted manually and not via Hexnode. What do I do with personal recovery key, if the device is enrolled first and foremost in Hexnode? Will that be displayed on the portal?

[Luuk Participant 4 January 2022 Luuk Participant]

@catherine-george Does that mean I cannot have the decryption key displayed on the new device summary page?

[Catherine Hexnode 4 January 2022 Catherine Keymaster]

Coincidentally, @luuk @anaya both your queries lead to the same answer.

Here’s is a workaround that will help you fetch the personal recovery key on the Device Summary for a device either encrypted before enrolling it or re-enrolled as a new one in Hexnode.

1. Open the Terminal application on the Mac.
2. Run the following command in Terminal:
   sudo fdesetup changerecovery –personal
   The new recovery key will be displayed in terminal.
3. Open the Hexnode MDM agent app on the device and click SYNC.
4. Next, log in to the Hexnode portal.
5. Navigate to Manage > Choose the device > Actions > Scan Device.
6. An option to decrypt the FileVault recovery key will be displayed under the Security Info of the device. (Device Info > Security Info > FileVault)
7. Click Decrypt.
8. The key will be displayed next to FileVault Recovery Key.

Good luck,

Catherine George

Hexnode UEM