-
Notifications
You must be signed in to change notification settings - Fork 9
Munki
Munki is not an MDM and cannot escrow FileVault keys. However, Munki is often used in combination with MDMs, and can serve both as a useful means to deploy Escrow Buddy and as a method for keeping the authorization database configured.
The recommended way to import Escrow Buddy into Munki is creating and running an override for this AutoPkg recipe. This will ensure your pkginfo contains the correct uninstall method and minimum OS version for easier deployments.
If you choose not to use the AutoPkg recipe linked above, you can download the latest Escrow Buddy installer from here and use munkiimport to import into your repository manually. (See this Munki wiki page for details about munkiimport.)
After creating a basic pkginfo file, you may want to consider copying these keys from the AutoPkg recipe:
In order to install Escrow Buddy on the desired Macs, you must add Escrow Buddy as a managed_install in the manifest corresponding to that Mac. There are numerous ways to do this, but here are three examples:
To install on all Macs, make Escrow Buddy a managed_install in the site_default manifest (or equivalent manifest you use to apply software to all managed Macs). See example below.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>catalogs</key>
<array>
<string>stable</string>
</array>
<key>managed_installs</key>
<array>
<string>Escrow Buddy</string>
</array>
</dict>
</plist>To install on specific Macs, have your MDM run this script on Macs that lack a valid escrowed FileVault recovery key:
#!/bin/bash
exec 2>/dev/null
MANIFEST="/Library/Managed Installs/manifests/SelfServeManifest"
if /usr/libexec/PlistBuddy -c "Print managed_installs" "$MANIFEST" | grep -q "Escrow Buddy"; then
echo "Escrow Buddy is already a managed install."
exit 0
fi
/usr/libexec/PlistBuddy -c "Add managed_installs array" "$MANIFEST"
/usr/libexec/PlistBuddy -c "Add managed_installs:0 string 'Escrow Buddy'" "$MANIFEST"
echo "Added Escrow Buddy as a managed install."(Modify SelfServeManifest to your desired local manifest, if you use a custom LocalOnlyManifest setting.)
After doing this, Munki will install Escrow Buddy during its next automatic check.
Another way to install Escrow Buddy on specific Macs that need it, if you're using machine-specific manifests or serial number based manifests, is to add an "included" manifest that includes Escrow Buddy as a managed install.
For example, a computer with a matching serial number would reference this file at manifests/K12LM34PQ4:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>catalogs</key>
<array>
<string>stable</string>
</array>
<key>included_manifests</key>
<array>
<string>groups/needs_fv_escrow</string>
</array>
</dict>
</plist>Then the included manifest stored at manifests/groups/needs_fv_escrow would add Escrow Buddy as a managed install:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>managed_installs</key>
<array>
<string>Escrow Buddy</string>
</array>
</dict>
</plist>(Note the lack of catalogs since this is an included manifest.)
For details on this approach to organizing manifests, see this blog post: Another opinionated guide to Munki manifests
Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.
To resolve this with Munki, you can use this nopkg item.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>autoremove</key>
<false/>
<key>catalogs</key>
<array>
<string>testing</string>
</array>
<key>category</key>
<string>Utilities</string>
<key>description</key>
<string>Escrow Buddy is a tool used by MDM administrators to ensure a valid FileVault recovery key is escrowed for your Mac.</string>
<key>developer</key>
<string>Netflix</string>
<key>display_name</key>
<string>Escrow Buddy Configuration</string>
<key>installcheck_script</key>
<string>#!/bin/bash
exec 2>/dev/null
if /usr/bin/security authorizationdb read system.login.console | grep -q '<string>Escrow Buddy:Invoke,privileged</string>'; then
echo "Escrow Buddy configuration OK."
exit 1 # do not proceed with postinstall_script
else
echo "Escrow Buddy configuration needs repair."
exit 0 # proceed with postinstall_script
fi
</string>
<key>installer_type</key>
<string>nopkg</string>
<key>minimum_os_version</key>
<string>10.14.4</string>
<key>name</key>
<string>Escrow Buddy Config</string>
<key>postinstall_script</key>
<string>#!/bin/bash
echo "Adding Escrow Buddy to authorization database..."
"/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle/Contents/Resources/AuthDBSetup.sh"
</string>
<key>unattended_install</key>
<true/>
<key>uninstallable</key>
<false/>
<key>update_for</key>
<array>
<string>Escrow Buddy</string>
</array>
<key>version</key>
<string>1.0</string>
</dict>
</plist>If you import Escrow Buddy into your Munki repo using an override of this AutoPkg recipe, the required uninstall behavior will already be in place. All that's needed is to put Escrow Buddy into the managed_uninstalls array of the appropriate manifest or SelfServeManifest, similar to the manifest methods shown above.
One way to simplify the scoping of Escrow Buddy to Macs that need it is to use a conditional item.
The following Python script would be deployed to your managed Macs at path /usr/local/munki/conditions/escrow_buddy_needed.py and made executable.
#!/usr/local/munki/munki-python
import os
import plistlib
from Foundation import CFPreferencesCopyAppValue
def main():
"""Main process."""
# Path to the Escrow Buddy preferences
eb_plist = "/Library/Preferences/com.netflix.Escrow-Buddy.plist"
# Path to the Munki ConditionalItems.plist
munki_bundle_id = "ManagedInstalls"
munki_pref_key = "ManagedInstallDir"
managedinstalldir = CFPreferencesCopyAppValue(munki_pref_key, munki_bundle_id)
cond_items_plist = os.path.join(managedinstalldir, "ConditionalItems.plist")
# Read the GenerateNewKey value from the Escrow Buddy prefs
value = None
if os.path.isfile(eb_plist):
with open(eb_plist, "rb") as infile:
eb_prefs = plistlib.load(infile)
value = eb_prefs.get("GenerateNewKey")
result = {"escrow_buddy_needed": value}
# Modify ConditionalItems.plist accordingly
if os.path.isfile(cond_items_plist):
# "ConditionalItems.plist" exists, so read it FIRST (existing_dict)
with open(cond_items_plist, "rb") as infile:
existing_dict = plistlib.load(infile)
# Create output_dict which joins new data generated in this script with existing data
output_dict = dict(existing_dict.items() + result.items())
else:
# "ConditionalItems.plist" does not exist,
# output only consists of data generated in this script
output_dict = result
# Write out data to "ConditionalItems.plist"
with open(cond_items_plist, "wb") as outfile:
plistlib.dump(output_dict, outfile)
if __name__ == "__main__":
main()After that conditional script is deployed, you can automatically install or remove Escrow Buddy dynamically on the eligible Macs using a manifest such as this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>conditional_items</key>
<array>
<dict>
<key>condition</key>
<string>escrow_buddy_needed == TRUE</string>
<key>managed_installs</key>
<array>
<string>Escrow Buddy</string>
</array>
</dict>
<dict>
<key>condition</key>
<string>escrow_buddy_needed != TRUE</string>
<key>managed_uninstalls</key>
<array>
<string>Escrow Buddy</string>
</array>
</dict>
</array>
</dict>
</plist>After you deploy this manifest, it's a good idea to monitor the Munki logs for a while to ensure no looping is occurring.
An 350px square icon has been provided here, which you can copy to your Munki repo as icons/Escrow Buddy.png for use in Managed Software Center.
