Migrating from JAMF to Rippling: Why FileVault Key Escrow is Critical
When your organization decides to migrate from JAMF Pro to Rippling MDM, there's one critical step that can't be overlooked: escrowing all FileVault recovery keys before shutting down JAMF. I learned this the hard way during our recent migration, which is why I built the JAMF FileVault Recovery Key Extractor to automate this process.
🔗 View the JAMF Extractor on GitHub - Complete source code, documentation, and installation instructions
The Problem: Lost Keys Mean Lost Data
FileVault is macOS's built-in disk encryption that protects user data at rest. When enabled, it generates a personal recovery key that's essential for:
- Recovering data if the user forgets their password
- Unlocking devices during IT troubleshooting
- Accessing data on devices that can't be unlocked normally
The critical issue: Once you shut down JAMF Pro, all FileVault recovery keys stored in the JAMF database become inaccessible. If you haven't extracted them beforehand, you've essentially lost the ability to recover data from encrypted Macs.
Why This Matters During MDM Migration
1. Data Recovery Scenarios
Users will inevitably forget their passwords or encounter issues that require recovery key access. Without the keys, you're looking at:
- Complete data loss on affected devices
- Expensive data recovery services (if possible at all)
- Potential compliance violations
- Loss of user trust and productivity
2. Compliance and Audit Requirements
Many organizations have regulatory requirements for data encryption and key management. Losing access to recovery keys can:
- Violate data protection regulations
- Fail security audits
- Create legal and compliance issues
3. Smooth Migration Process
Having all recovery keys available ensures:
- Faster troubleshooting during migration
- Better user experience
- Reduced support tickets
- Cleaner transition to Rippling
The Solution: Automated Key Extraction
Rather than manually extracting keys through the JAMF web interface (which would take forever with hundreds of devices), I built a Go-based tool that automates the entire process.
📦 Get the JAMF Extractor - Download, build, and start extracting keys in minutes
Key Features
Automatic Computer Discovery
# Get all computers directly from JAMF Pro API
./jamf-extractor all --url "https://your-jamf-instance.jamfcloud.com/" --username "your-username" --password "your-password"
Comprehensive Audit Logging
Every action is logged to jamf_extractor.log for compliance and troubleshooting:
- Authentication attempts
- Computer processing details
- FileVault key retrieval status
- Error conditions and resolutions
CSV Report Generation Creates a structured report with:
- Jamf Pro ID Number
- Device Make/Model/Serial
- UDID
- FileVault Recovery Key Status
- Recovery Key (when available)
- Direct JAMF Pro URL
Dual API Support Uses both Classic API (for computer records) and modern JAMF Pro API (for FileVault keys) to ensure maximum compatibility.
The Migration Process
Here's the step-by-step process I recommend for any JAMF to Rippling migration:
Phase 1: Pre-Migration (Critical)
- Extract all FileVault keys using the JAMF Extractor
- Verify key extraction by spot-checking a few devices
- Store keys securely in your new key management system
- Document the process for audit purposes
Phase 2: Migration Setup
- Configure Rippling MDM with your existing devices
- Test FileVault management in Rippling
- Plan the cutover timeline with minimal disruption
Phase 3: Cutover
- Migrate devices to Rippling MDM
- Verify FileVault status on migrated devices
- Decommission JAMF only after confirming all keys are safely stored
Technical Implementation
The JAMF Extractor handles several technical challenges:
Pagination Support Large organizations might have thousands of devices. The tool automatically handles pagination to process all computers.
Error Handling Comprehensive error handling for:
- Invalid computer IDs
- Authentication failures
- Network timeouts
- API rate limiting
- Missing FileVault keys
Security Considerations
- Uses modern bearer token authentication
- Automatically renews expired tokens
- Logs all access for security auditing
- No hardcoded credentials
Lessons Learned
1. Start Early
Don't wait until the last minute. Key extraction should be one of the first steps in any MDM migration.
2. Test Thoroughly
Always test the extraction process on a small subset of devices before running it on your entire fleet.
3. Document Everything
Maintain detailed logs of what was extracted, when, and by whom. This is crucial for compliance.
4. Have a Backup Plan
Even with automated tools, always have a manual process documented for critical devices.
Open Source Contribution
I've made the JAMF FileVault Recovery Key Extractor open source so other organizations can benefit from this tool during their own migrations. The project includes:
- Complete source code in Go
- Comprehensive documentation
- Security vulnerability assessment
- MIT license for easy adoption
⭐ Star the project on GitHub - Help others discover this tool and contribute to its development
Looking Forward
The migration from JAMF to Rippling has been successful, and having all FileVault keys properly escrowed gave us confidence throughout the process. The tool has also been useful for ongoing key management and audit purposes.
If you're planning a similar migration, I highly recommend starting with key extraction as your first step. The peace of mind knowing you have all recovery keys safely stored is invaluable.
Ready to get started? Check out the JAMF FileVault Recovery Key Extractor on GitHub and let me know if you have any questions about the migration process.
Have you experienced similar challenges during MDM migrations? I'd love to hear about your experiences and any tools you've built to solve them.