Presented by Elliot Jordan, Senior Consultant, Linde Group
MacBrained - January 27, 2015 - San Francisco, CA
Escrow Buddy is a tool for reissuing and escrowing FileVault keys is available which does NOT require prompting users for their passwords. As such, I don't plan to make any further updates to the workflow below. Please consider switching to Escrow Buddy. Read more below:
- Netflix Tech Blog: Escrow Buddy: An open-source tool from Netflix for remediation of missing FileVault keys in MDM
- Elliot Jordan: Escrowing new FileVault keys to MDM without password prompts
FileVault individual recovery keys can be missing from the JSS for many reasons.
- Perhaps the Mac was encrypted prior to enrollment.
- The Mac was encrypted prior to the FileVault redirection profile installation.
- The original recovery key was lost for some reason (e.g. database corruption or a bug of some kind).
You can use a policy to generate a new FileVault key and upload to JSS.
- A configuration profile ensures that all FileVault keys are escrowed with the JSS.
- A smart group determines which computers lack valid individual recovery keys.
- Customize the reissue_filevault_recovery_key.sh for your environment.
- Create a policy that deploys the reissue_filevault_recovery_key.sh script to the computers in the smart group.
A configuration profile called “Redirect FileVault keys to JSS” does what the name says.
- General
- Distribution Method: Install Automatically
- Level: Computer Level
- FileVault Recovery Key Redirection
- Automatically redirect recovery keys to the JSS
- Scope
- All computers
A smart group named “FileVault encryption key is invalid or unknown” selects the affected Macs.
| And/Or | Criteria | Operator | Value |
|---|---|---|---|
| FileVault 2 Individual Key Validation | is not | Valid | |
| and | Last Check-in | less than x days ago | 30 |
| and | FileVault 2 Detailed Status* | is | FileVault 2 Encryption Complete |
*From Rich Trouton’s FileVault status extension attribute: http://goo.gl/zB04LT
The reissue_filevault_recovery_key.sh script runs on each affected Mac.
- Start by customizing the reissue_filevault_recovery_key.sh script as needed for your environment.
- Email affected employees to give them a heads up.
- Use jamfHelper to announce the upcoming password prompt.
- Add logo to AppleScript password prompt.
- Fail silently if logo files aren’t present, or any other problems detected.
- Verify the Mac login password, with 5 chances to enter correct password.
Here is the section of the script you'll want to customize:
A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.
- General
- Trigger: Recurring Check-In
- Execution Frequency: Once per computer
- Packages
- AppleScriptCustomIcon.dmg (loads /tmp/Pinterest.icns)
- Scripts
- reissue_filevault_recovery_key.sh (priority: After)
- Scope
- Smart Group: FileVault encryption key is invalid or unknown
Don’t forget to monitor policy logs and test FileVault recovery to verify success.
- Monitor logs and flush one-off errors. (Unable to connect to distribution point, no user logged in, etc.)
- Identify and resolve remaining problems manually.
- Test a few newly-generated FileVault keys to ensure they are working as expected.
- Update your internal documentation.
This script appears to work with macOS High Sierra and Mojave, but there are a few known issues:
- On specific versions of High Sierra, entering an incorrect password during the key rotation process can result in invalidation of the existing FileVault key.
- Since the existing FileVault key is not valid in the first place (presumably) this isn't the end of the world. But it means that if the key was stored separately, e.g. in a spreadsheet somewhere, it will no longer work.
- We attempt to mitigate this by validating the provided password with
dsclprior to using it for rotation of the FileVault key. However, there is no guarantee that your local account password and your FileVault password are the same.
- Previous versions of macOS generated log output that confirmed the successful escrow of the newly generated FileVault key. High Sierra and Mojave do not. Instead, a local file containing the new key is written, which MDM is meant to retrieve. We attempt to determine escrow success by detecting a change in that file, but it's not a guarantee of success.
- If you find additional issues with High Sierra or Mojave, I'd appreciate you opening an issue on this repo.
This script should work on macOS Catalina, but please open an issue if you notice any Catalina-specific bugs.
Thank you!