Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reissue key on High Sierra #17

Open
pleegor opened this issue May 29, 2018 · 1 comment
Open

Reissue key on High Sierra #17

pleegor opened this issue May 29, 2018 · 1 comment

Comments

@pleegor
Copy link

pleegor commented May 29, 2018

I am having issues escrowing keys on macos 10.13.. New key is being generated, but it is not being "shipped" to JSS. I have a FileVault encryption payload that encrypts disk and sends recovery key to JSS. Was anyone able to make this workflow working on 10.13.?

@jelockwood
Copy link

I am not using this project but I did have problems escrowing FileVault recovery keys with High Sierra. The issue is down to the fact that High Sierra now uses/requires user accounts to have a 'Secure Token' in order to be FileVault enabled. Since the way the jamfmanagement account is created results in it not having a secure token this means the jamfmanagement account is not authorised to perform FileVault tasks.

With the help of JAMF I have implemented a solution for this. It involves running a script - once on the client Mac, it does at the moment require user interaction as the user has to provide the password for their FileVault enabled admin account so it can authorised creating a secure token for the jamfmanagement account. The script for this is here - https://github.com/kc9wwh/FileVaultEnableAdminAccount it is actually based on this project.

Once the jamfmanagement account has a secure token it can then auto-rotate the FileVault recovery key and re-escrow the updated key.

Once catch - the above script as currently written checks and insists that the machine is fully FileVault encrypted, it will not run whilst encryption is in progress so you need to use a smartgroup to check for a fully completed encryption.

The script is being passed the username and password for a local admin account on the client Mac. I also have this created as standard and I can therefore include these details as parameters. I then after encryption and this secure token process are complete (via another smart group) have another script and policy called LAPS which randomises and rotates the password for this account. This is a project here - https://github.com/unl/LAPSforMac

In theory since the local admin password is known to JAMF and stored in JAMF as an extension attribute it should be possible to modify the script and policy for creating the secure token to look that up and pass it as the parameter. I have opened this as a ticket here - kc9wwh/FileVaultEnableAdminAccount#2 however I am getting the impression the project maybe semi abandoned as there is no activity from the author for a while.

So I think your problem maybe down to the jamfmanagement account not having a secure token, you can check this by doing the following on the client Mac.

sudo systemctl -secureTokenStatus nameofjamfmanagementaccount

If it returns enabled it has a secure token if it returns disabled it does not. If it is disabled then you need to look at the above solution to give the jamfmanagement account a secure token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants