FileVault 2 Pre-Encrypted Migrated Macs

ETS-FSE
New Contributor II

We’re migrating Macs from our old JSS to a new JSS. The Macs in the old JSS are encrypted via FileVault 2. There are preexisting Macs in the new JSS that are also encrypted.

Since the FileVault 2 policy in the new environment is set for all computers and users with an ongoing frequency, what is the best way to generate new keys for the migrating Macs (keys are redirected to the JSS via top-level policy)?

I do see policy for ‘Disk Encryption - Issue New Recovery Key’, but doubt that this policy should also run alongside the FileVault 2 policy.

I think a Smart Computer Group might help, but its criteria is allusive.

Does anyone have any advice? It’s appreciated!

6 REPLIES 6

gachowski
Valued Contributor II

No easy answer... but this might help you get started...

https://github.com/homebysix/jss-filevault-reissue

maiksanftenberg
Contributor II

We do have an Smart Group that does look to invalid Recovery Keys.
All of this machines that are part of this Smart Group receive a Policy that runs the following script:
https://www.jamf.com/jamf-nation/discussions/14280/filevault-2-reissue-key-script

The Smart Group itself is looking like this
c89c74eb0aa340418b4264cd23ab6aea

rich_thomas
New Contributor III

Word of warning - if any of your Macs are on High Sierra, the escrow is now broken. That method in the GitHub post currently doesn't work. We have it rolled out across our organisation but it just won't submit the key into the JSS on any machine on 10.13.

emilh
New Contributor III

@rich.thomas Works for me. You just got to make sure to have a separate configuration profile in place for your 10.13 machines.
See this thread: https://www.jamf.com/jamf-nation/discussions/25558/macos-10-13-high-sierra-and-filevault-recovery-ke...

rich_thomas
New Contributor III

@emilh - that wasn't working for me up until this morning, now it does! Mystery. Thanks for the info though.

elliotjordan
Contributor III

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!