Reissuing FileVault keys with the Casper Suite
Presented by Elliot Jordan, Senior Consultant, Linde Group
MacBrained - January 27, 2015 - San Francisco, CA
Table of Contents
- The Problem
- The Solution
FileVault individual recovery keys can be missing from the JSS for many reasons.
- Perhaps the Mac was encrypted prior to enrollment.
- The Mac was encrypted prior to the FileVault redirection profile installation.
- The original recovery key was lost for some reason (e.g. database corruption or a bug of some kind).
You can use a policy to generate a new FileVault key and upload to JSS.
- A configuration profile ensures that all FileVault keys are escrowed with the JSS.
- A smart group determines which computers lack valid individual recovery keys.
- Customize the reissue_filevault_recovery_key.sh for your environment.
- Create a policy that deploys the reissue_filevault_recovery_key.sh script to the computers in the smart group.
Step One: Configuration Profile
A configuration profile called “Redirect FileVault keys to JSS” does what the name says.
- Distribution Method: Install Automatically
- Level: Computer Level
- FileVault Recovery Key Redirection
- Automatically redirect recovery keys to the JSS
- All computers
Step Two: Smart Group
A smart group named “FileVault encryption key is invalid or unknown” selects the affected Macs.
|FileVault 2 Individual Key Validation||is not||Valid|
|and||Last Check-in||less than x days ago||30|
|and||FileVault 2 Detailed Status*||is||FileVault 2 Encryption Complete|
*From Rich Trouton’s FileVault status extension attribute: http://goo.gl/zB04LT
Step Three: Script
The reissue_filevault_recovery_key.sh script runs on each affected Mac.
- Start by customizing the reissue_filevault_recovery_key.sh script as needed for your environment.
- Email affected employees to give them a heads up.
- Use jamfHelper to announce the upcoming password prompt.
- Add logo to AppleScript password prompt.
- Fail silently if logo files aren’t present, or any other problems detected.
- Verify the Mac login password, with 5 chances to enter correct password.
Here is the section of the script you'll want to customize:
Step Four: Policy
A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.
- Trigger: Recurring Check-In
- Execution Frequency: Once per computer
- AppleScriptCustomIcon.dmg (loads /tmp/Pinterest.icns)
- reissue_filevault_recovery_key.sh (priority: After)
- Smart Group: FileVault encryption key is invalid or unknown
Don’t forget to monitor policy logs and test FileVault recovery to verify success.
- Monitor logs and flush one-off errors. (Unable to connect to distribution point, no user logged in, etc.)
- Identify and resolve remaining problems manually.
- Test a few newly-generated FileVault keys to ensure they are working as expected.
- Update your internal documentation.
High Sierra Compatibility
This script has not been tested comprehensively with macOS High Sierra, so please proceed with caution if deploying to clients with High Sierra installed. Specifically, we know about the following issues:
- Entering an incorrect password during the key rotation process can result in invalidation of the existing FileVault key.
- Since the existing FileVault key is not valid in the first place (presumably) this isn't the end of the world. But it means that if the key was stored separately, e.g. in a spreadsheet somewhere, it will no longer work.
- We attempt to mitigate this by validating the provided password with
dsclprior to using it for rotation of the FileVault key. However, there is no guarantee that your local account password and your FileVault password are the same.
- Previous versions of macOS generated log output that confirmed the successful escrow of the newly generated FileVault key. High Sierra does not. Instead, it writes to a local file containing the new key, which MDM is meant to retrieve. We attempt to determine escrow success by detecting a change in that file, but it's not a guarantee of success.
- If you find additional issues with High Sierra, I'd appreciate you opening an issue on this repo.