Home

Awesome

Reissuing FileVault keys with the Casper Suite <!-- omit in toc -->

Presented by Elliot Jordan, Senior Consultant, Linde Group<br />MacBrained - January 27, 2015 - San Francisco, CA

Deprecation Notice <!-- omit in toc -->

Escrow Buddy is a tool for reissuing and escrowing FileVault keys is available which does NOT require prompting users for their passwords. As such, I don't plan to make any further updates to the workflow below. Please consider switching to Escrow Buddy. Read more below:


Table of Contents <!-- omit in toc -->

<!-- MarkdownTOC autolink=true depth=4 bracket=round --> <!-- /MarkdownTOC -->

The Problem

FileVault individual recovery keys can be missing from the JSS for many reasons.

FileVault is encrypted   FileVault is "not configured"

The Solution

You can use a policy to generate a new FileVault key and upload to JSS.

  1. A configuration profile ensures that all FileVault keys are escrowed with the JSS.
  2. A smart group determines which computers lack valid individual recovery keys.
  3. Customize the reissue_filevault_recovery_key.sh for your environment.
  4. Create a policy that deploys the reissue_filevault_recovery_key.sh script to the computers in the smart group.

Notification

Password Prompt

Step One: Configuration Profile

A configuration profile called “Redirect FileVault keys to JSS” does what the name says.

Step Two: Smart Group

A smart group named “FileVault encryption key is invalid or unknown” selects the affected Macs.

And/OrCriteriaOperatorValue
FileVault 2 Individual Key Validationis notValid
andLast Check-inless than x days ago30
andFileVault 2 Detailed Status*isFileVault 2 Encryption Complete

<span style="font-size: 0.8em;">*From Rich Trouton’s FileVault status extension attribute: http://goo.gl/zB04LT</span>

Step Three: Script

The reissue_filevault_recovery_key.sh script runs on each affected Mac.

Here is the section of the script you'll want to customize:

Script screenshot

Step Four: Policy

A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.

Follow Through

Don’t forget to monitor policy logs and test FileVault recovery to verify success.

Compatibility

High Sierra (10.13) and Mojave (10.14)

This script appears to work with macOS High Sierra and Mojave, but there are a few known issues:

Catalina (10.15)

This script should work on macOS Catalina, but please open an issue if you notice any Catalina-specific bugs.

Thank you!


See the original presentation slides.