Escrow Buddy: An open-source tool for remediation of missing FileVault keys in MDM

Contributor III


Hello Jamf Nation! I'm happy to announce a new open-source tool from Netflix called Escrow Buddy focused on helping IT/security administrators ensure all their Macs have a valid FileVault key escrowed to MDM.

Check out the announcement on the Netflix Tech Blog, and see the GitHub repo for documentation and the latest release.

I hope many people will find Escrow Buddy useful!


Esteemed Contributor II

@elliotjordan Thank You! Your timing is most excellent as I just started looking at the options to move FileVault control into Jamf Pro last week, and I wasn't happy with either of the options I'd found (your Less than ideal solutions).


We finally got around deploying this. It works well! This is our setup:


1. Create a smart group that includes computers with an encrypted volume, with an unknown key

2. Scope a plociy that runs once or once per month, that installs Escrow Buddy with Installomator (we use that for many other pieces of software, so that was easiest). The same policy also sets the config on the computer telling escrowbuddy that a rekey is needed.

With this simple config we see that problematic computers are moved into the group for fixing, and once they're fixed, they are unscoped.

Only minor issue that remains is that EscrowBuddy is still installed even though it's no longer needed. A suggestion for a minor improvement would be for EscrowBuddy to automatically uninstall after the work has been carried out, or at least make that configurable. Who knows what issues might arise if EscrowBuddy is installed for many months and many major/minor macOS versions to come? :)