Skip to main content
Question

Site user access to FileVault2 Keys.

  • March 31, 2014
  • 8 replies
  • 9 views
C
Forum|alt.badge.img+10

Hello all.

I am trying to setup an architecture that would allow site admins to be able to see the FileVault2 keys for their sites. However, even though I assign the correct permissions for the users and they see the button to view the keys, the keys never show.

I have contacted JAMF about this and they say that you must make the user a 'Full JSS' user in order for them to see the encryption keys. This works against what I am trying to do, it would require me to make all local IT a full users, but then I would not be able to give them 'admin' over their machines since they would then also have admin permissions on other department's machines.

JAMF says it was planned this way, but I call it a bug. Has anyone else ran into this? If you would like this fixed, vote up my feature request.

https://jamfnation.jamfsoftware.com/featureRequest.html?id=2046

    8 replies

    Brad_G
    Forum|alt.badge.img+16
    • Brad_G
    • Valued Contributor
    • March 31, 2014

    Yes I would call this less than ideal myself. This is an issue with Disk Encryption, Extension Attributes, and a few other things we'd like site admins to be able to do.

    For now our workaround (We use LDAP groups as we're an Active Directory shop) is to create a security group that is a Full JSS member with Custom access. We then set the Disk Encryption and other access settings we want them to have. So their IDs fall into multiple security groups. The users will have to switch between their sight and Full JSS mode to access them. Kind of a kludge but it gets admins what they need until it's more polished.

    I'm off to vote up your request.....

    C
    Forum|alt.badge.img+10
    • ctangora
    • Author
    • Contributor
    • March 31, 2014

    Thanks Brad,

    Quick question. I can't seem to duplicate your results. Testing with a local account I have made two groups, one as an admin to a site (full access to site), and one that allows only access to update & read computers, as well as the action of getting the file vault keys.

    This does not give us the ability to see file vault keys in the JSS either under the "Full JSS".

    Chris

    Brad_G
    Forum|alt.badge.img+16
    • Brad_G
    • Valued Contributor
    • March 31, 2014

    To be honest I haven't worked with FV to answer the question of what you're looking for. But from my limited testing it appears that my userID as a site admin and custom privileges as Full JSS shows me the same options and capabilities as the Full JSS Admin does.

    C
    Forum|alt.badge.img+10
    • ctangora
    • Author
    • Contributor
    • March 31, 2014

    So I was able to find this out. In order to see the FileVault2 Encryption keys you need these permissions / settings..

    JSS Objects… -- Computers – Read & Update -- Disk Encryption Configurations - Read Only
    JSS Actions… -- View Disk Encryption Recover Key – Check

    I have a question into JAMF as to why we need to turn on the Disk Encryption Configurations in order to see the keys. But at least to get a group that can only do this to every machine in the JSS there, are the settings. I'll have to do further testing with other groups to see if I can do what you are doing (modular permissions approach).

    I would still like to be able to have a site admin see the encryption keys, but that seems more unlikely the further this day goes along.

    A
    Forum|alt.badge.img+5
    • axnessj
    • Contributor
    • March 31, 2014

    ctangota,

    I think we did the same thing as you. We created a "FV Read-only" account so that we can provide it to our techs and they can use that account to obtain the encryption key.

    In the account we gave Read permissions to:
    JSS Objects..
    -Advanced Computer Searches (we created a search for FV enabled computers to make an easy way for them to narrow down the results/find the machine)
    -Computers (Read & Update)
    -Disk Encryption Configurations
    JSS Actions..
    -View Disk Encryption Recovery Key

    spalmer
    Forum|alt.badge.img+23
    • spalmer
    • Valued Contributor
    • April 5, 2014

    I would push JAMF support to file this as a bug, and I will likely be filing my own, because why would they make a permission available at the Site level and make the "Get Recovery Keys" button viewable to Site admins/users but not let them actually use it. Not to mention the workaround to this totally breaks one of the reasons we have Sites, which is to allow Site admins to only see computer objects in their own Sites.

    At the university level we are starting to create recommendations for users to encrypt their drives based on data classifications. Our University is large enough that we have many distinct IT departments with their own Sites so we had planned on having each Site create their own institutional recovery keys to use for their computers. In light of this it looks like this may be pointless since we will all have the ability to see each other's recovery keys.

    C
    Forum|alt.badge.img+10
    • ctangora
    • Author
    • Contributor
    • April 7, 2014

    JAMF is currently looking into removing the option for site admins to see the "Get Recovery Key" buttons and removing them from the permissions in the JSS.

    As far as fixing it, I think we need to vote up the feature request and get on the horn with your JAMF rep so they know that this is effecting multiple people.

    A
    Forum|alt.badge.img+6
    • analog_kid
    • New Contributor
    • September 3, 2014

    As of Casper 9.32 (at least, maybe earlier as well), I found the following permissions were needed to grant access to Recovery Keys. The permissions at the beginning of the thread no longer worked for me.

    Access Level: Full Access
    Privilege Set: Custom
    JSS Objects ---> Computers (read), Disk Encryption Configurations (read), Disk Encryption Institutional Configurations (read)
    JSS Actions ---> View Disk Encryption Recovery Key (checked)

    Terms & ConditionsCookie settingsAccessibility statement