Posted on 10-24-2017 09:58 AM
We’re migrating Macs from our old JSS to a new JSS. The Macs in the old JSS are encrypted via FileVault 2. There are preexisting Macs in the new JSS that are also encrypted.
Since the FileVault 2 policy in the new environment is set for all computers and users with an ongoing frequency, what is the best way to generate new keys for the migrating Macs (keys are redirected to the JSS via top-level policy)?
I do see policy for ‘Disk Encryption - Issue New Recovery Key’, but doubt that this policy should also run alongside the FileVault 2 policy.
I think a Smart Computer Group might help, but its criteria is allusive.
Does anyone have any advice? It’s appreciated!
Posted on 10-24-2017 11:07 AM
No easy answer... but this might help you get started...
https://github.com/homebysix/jss-filevault-reissue
Posted on 10-24-2017 11:07 AM
We do have an Smart Group that does look to invalid Recovery Keys.
All of this machines that are part of this Smart Group receive a Policy that runs the following script:
https://www.jamf.com/jamf-nation/discussions/14280/filevault-2-reissue-key-script
The Smart Group itself is looking like this
Posted on 10-25-2017 12:20 AM
Word of warning - if any of your Macs are on High Sierra, the escrow is now broken. That method in the GitHub post currently doesn't work. We have it rolled out across our organisation but it just won't submit the key into the JSS on any machine on 10.13.
Posted on 10-25-2017 01:49 AM
@rich.thomas
Works for me. You just got to make sure to have a separate configuration profile in place for your 10.13 machines.
See this thread: https://www.jamf.com/jamf-nation/discussions/25558/macos-10-13-high-sierra-and-filevault-recovery-ke...
Posted on 10-25-2017 07:04 AM
@emilh - that wasn't working for me up until this morning, now it does! Mystery. Thanks for the info though.
Posted on 06-15-2023 05:00 PM
Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.
My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.
You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.
Thanks!