Presented by Elliot Jordan, Senior Consultant, Linde Group
MacBrained - January 27, 2015 - San Francisco, CA
Warning
DEPRECATION NOTICE: Escrow Buddy is a better tool for reissuing and escrowing FileVault keys which does NOT require prompting users for their passwords. As such, I don't plan to make any further updates to the workflow below. Please strongly consider switching to Escrow Buddy. Read more below:
FileVault individual recovery keys can be missing from the JSS for many reasons.
- Perhaps the Mac was encrypted prior to enrollment.
- The Mac was encrypted prior to the FileVault redirection profile installation.
- The original recovery key was lost for some reason (e.g. database corruption or a bug of some kind).
You can use a policy to generate a new FileVault key and upload to JSS.
- A configuration profile ensures that all FileVault keys are escrowed with the JSS.
- A smart group determines which computers lack valid individual recovery keys.
- Customize the reissue_filevault_recovery_key.sh for your environment.
- Create a policy that deploys the reissue_filevault_recovery_key.sh script to the computers in the smart group.
A configuration profile called “Redirect FileVault keys to JSS” does what the name says.
- General
- Distribution Method: Install Automatically
- Level: Computer Level
- FileVault Recovery Key Redirection
- Automatically redirect recovery keys to the JSS
- Scope
- All computers
A smart group named “FileVault encryption key is invalid or unknown” selects the affected Macs.
| And/Or | Criteria | Operator | Value |
|---|---|---|---|
| FileVault 2 Individual Key Validation | is not | Valid | |
| and | Last Check-in | less than x days ago | 30 |
| and | FileVault 2 Detailed Status* | is | FileVault 2 Encryption Complete |
*From Rich Trouton’s FileVault status extension attribute: http://goo.gl/zB04LT
The reissue_filevault_recovery_key.sh script runs on each affected Mac.
- Start by customizing the reissue_filevault_recovery_key.sh script as needed for your environment.
- Email affected employees to give them a heads up.
- Use jamfHelper to announce the upcoming password prompt.
- Add logo to AppleScript password prompt.
- Fail silently if logo files aren’t present, or any other problems detected.
- Verify the Mac login password, with 5 chances to enter correct password.
Here is the section of the script you'll want to customize:
A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.
- General
- Trigger: Recurring Check-In
- Execution Frequency: Once per computer
- Packages
- AppleScriptCustomIcon.dmg (loads /tmp/Pinterest.icns)
- Scripts
- reissue_filevault_recovery_key.sh (priority: After)
- Scope
- Smart Group: FileVault encryption key is invalid or unknown
Don’t forget to monitor policy logs and test FileVault recovery to verify success.
- Monitor logs and flush one-off errors. (Unable to connect to distribution point, no user logged in, etc.)
- Identify and resolve remaining problems manually.
- Test a few newly-generated FileVault keys to ensure they are working as expected.
- Update your internal documentation.
Thank you!
