Skip to content
A framework for re-escrowing missing or invalid FileVault keys with Jamf Pro.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
images Adjusted mode of files Mar 2, 2019
.gitignore
.pre-commit-config.yaml Create .pre-commit-config.yaml Mar 2, 2019
README.md Added High Sierra compatibility section to readme Sep 26, 2017
reissue_filevault_recovery_key.sh Adjusted mode of files Mar 2, 2019

README.md

Reissuing FileVault keys with the Casper Suite

Presented by Elliot Jordan, Senior Consultant, Linde Group
MacBrained - January 27, 2015 - San Francisco, CA


Table of Contents


The Problem

FileVault individual recovery keys can be missing from the JSS for many reasons.

  • Perhaps the Mac was encrypted prior to enrollment.
  • The Mac was encrypted prior to the FileVault redirection profile installation.
  • The original recovery key was lost for some reason (e.g. database corruption or a bug of some kind).

FileVault is encrypted   FileVault is "not configured"

The Solution

You can use a policy to generate a new FileVault key and upload to JSS.

  1. A configuration profile ensures that all FileVault keys are escrowed with the JSS.
  2. A smart group determines which computers lack valid individual recovery keys.
  3. Customize the reissue_filevault_recovery_key.sh for your environment.
  4. Create a policy that deploys the reissue_filevault_recovery_key.sh script to the computers in the smart group.

Notification

Password Prompt

Step One: Configuration Profile

A configuration profile called “Redirect FileVault keys to JSS” does what the name says.

  • General
    • Distribution Method: Install Automatically
    • Level: Computer Level
  • FileVault Recovery Key Redirection
    • Automatically redirect recovery keys to the JSS
  • Scope
    • All computers

Step Two: Smart Group

A smart group named “FileVault encryption key is invalid or unknown” selects the affected Macs.

And/Or Criteria Operator Value
FileVault 2 Individual Key Validation is not Valid
and Last Check-in less than x days ago 30
and FileVault 2 Detailed Status* is FileVault 2 Encryption Complete

*From Rich Trouton’s FileVault status extension attribute: http://goo.gl/zB04LT

Step Three: Script

The reissue_filevault_recovery_key.sh script runs on each affected Mac.

  • Start by customizing the reissue_filevault_recovery_key.sh script as needed for your environment.
    • Email affected employees to give them a heads up.
    • Use jamfHelper to announce the upcoming password prompt.
    • Add logo to AppleScript password prompt.
    • Fail silently if logo files aren’t present, or any other problems detected.
    • Verify the Mac login password, with 5 chances to enter correct password.

Here is the section of the script you'll want to customize:

Script screenshot

Step Four: Policy

A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.

  • General
    • Trigger: Recurring Check-In
    • Execution Frequency: Once per computer
  • Packages
    • AppleScriptCustomIcon.dmg (loads /tmp/Pinterest.icns)
  • Scripts
    • reissue_filevault_recovery_key.sh (priority: After)
  • Scope
    • Smart Group: FileVault encryption key is invalid or unknown

Follow Through

Don’t forget to monitor policy logs and test FileVault recovery to verify success.

  • Monitor logs and flush one-off errors.
 (Unable to connect to distribution point, no user logged in, etc.)
  • Identify and resolve remaining problems manually.
  • Test a few newly-generated FileVault keys to ensure they are working as expected.
  • Update your internal documentation.


High Sierra Compatibility

This script has not been tested comprehensively with macOS High Sierra, so please proceed with caution if deploying to clients with High Sierra installed. Specifically, we know about the following issues:

  • Entering an incorrect password during the key rotation process can result in invalidation of the existing FileVault key.
    • Since the existing FileVault key is not valid in the first place (presumably) this isn't the end of the world. But it means that if the key was stored separately, e.g. in a spreadsheet somewhere, it will no longer work.
    • We attempt to mitigate this by validating the provided password with dscl prior to using it for rotation of the FileVault key. However, there is no guarantee that your local account password and your FileVault password are the same.
  • Previous versions of macOS generated log output that confirmed the successful escrow of the newly generated FileVault key. High Sierra does not. Instead, it writes to a local file containing the new key, which MDM is meant to retrieve. We attempt to determine escrow success by detecting a change in that file, but it's not a guarantee of success.
  • If you find additional issues with High Sierra, I'd appreciate you opening an issue on this repo.

Thank you!


See the original presentation slides. Watch the original presentation on Ustream.

You can’t perform that action at this time.