You may want to make a feature request for API access to the event logs (if it's not already there) and possibly to add FV2 key access to those logs (again, if it's not already there). If you can get at it from the API, you may be able to script a way to detect a change in the last time the key was accessed, and trigger a policy with the "Issue New Recovery Key" payload.

Or just make a feature request for the whole thing you said above. :)

I think its really an Apple issue and the base security required of any FDE system. There is really not easy to change Individual FDE.

C

The JSS most certainly does audit who accesses a FileVault recovery key. Contact JAMF Support for more information.

@gachowski Issuing a new Recovery key is not hard at all. Its a built in function now and is part of the JSS Disk Encryption payload in a policy.

The trouble is actually knowing which Macs this would get scoped to. Right now I don't believe there is any way for the JSS to know that someone viewed the Recovery key, and to put that Mac into a Smart Group so the above action can run on it.

I think this would need to be made into a Feature Request since I don't think its possible to do this today, even with API scripting. The keys themselves are not accessible via the API, and I don't know if there's a way to see that a key was viewed in the JSS.

Hi All,

Thanks for the responses. My skills aren't strong enough with API to mess with that yet so I'll drop a note to the JAMF team to see what they say. As you suggested, it might have to be a feature request more than anything.

I've definitely got the policy working for key re-direction though, where a smart group checks for "keys not known to the JSS".

I'll mark the thread as solved as its not an-built feature as of today.

Cheers again,
Vinny

Hi,

I noticed this discussion while trying to figure out myself how to automatically generate a new FileVault 2 key after it has been used.

There is an easy way to create an extended attribute that tells the status of the recovery key for any user.
This simple scrip will return the following values:
- Nokey: The Mac does not have a recovery key
- OK: The Mac has a recovery key
- USED: The Mac has a recovery key and is being used

#!/bin/bash

HAS="$(fdesetup haspersonalrecoverykey)"
USE="$(fdesetup usingrecoverykey)"

if [ "$HAS" == "true" ];
then
# echo "Has recovery key"
if [ "$USE" == "true" ];
then
# echo "Status: Recover key is used "
RESULT="USED"
else
# echo "Status: recover key not in use"
RESULT="OK"
fi
else
# echo "Does not have recovery key"
RESULT="Nokey"
fi

echo "<result>$RESULT</result>"

Please notice that value USED will remain like that as long as the user is logged in using the Recovery Key, but as soon as the user resets his password, logs out and then in using the new password, the value will revert back to OK.

Cheers,
Carlos