Jamf Nation Community

jasonaswell- that's for 10.9 and higher only, correct? I didn't think the JSS could validate individual keys on 10.8 or lower . . .

For 10.8 Macs, Casper won't be able to validate the recovery key. Casper uses fdesetup for its FileVault 2 management, and fdesetup's validaterecovery function did not appear until 10.9.x.

that's what I thought, thanks for confirming rich!

I'm not sure the validation would work for us since most of our users (80%) are still on 10.8. We are planning on moving them to 10.9 or 10.10 later this year but we are still waiting for come components to get updates (*cough* McAfee and Webex).

My other thought was to use SQL to run this. I have navicat and have looked at the table that stores the FV recovery keys, but without the data flow diagram I can't seem to link it to a machine.

So in short, there is no report I can run (no matter what Casper version) that will list the machine name and it's recovery key?

As for a backup plan, would it be smart to implement a individual and institutional system? Would we be able to unlock the hard drive with the institutional key or will both keys be needed?

the institutional key would be able to unlock the disk without needing the individual key . . . . only problem is, that one key is able to unlock your disks on ALL your macs, and your security people might not be ok with that. Also, the institutional key is a little more difficult to use for unlocking a disk than the individual key since it requires running commands in Terminal, but that's not tough, really. And you can always write a script to handle that if you don't trust your techs in Terminal.
we do use both the individual and institutional keys in my organization.

Well I think it might be the way to go since we've had several issues with E-discovery now not being able to decrypt a machine to run their software on.

From the user experience, will they still only see their username and password screen - or is there another password screen they'll have to do.

As for the terminal part, no biggie since I don't want anyone unlocking machines without knowledge of how to do it.

Seems like I need to write a good business case for this and test it.

To go along with the discussion of using FileVault 2 institutional recovery keys, I recently wrote a post on their creation, deployment and use.

http://derflounder.wordpress.com/2014/08/13/filevault-2-institutional-recovery-keys-creation-deploym...

rtrouton,

That article was great! I used it to create a key I'll use for testing. I did have a question though. In the article it mentions deploying the keychain to /library/keychain but that the encryption process still needed to be kicked off the security menu. Is there a way, using casper of course, to kick that off automatically. Ideally, I would like to it deploy when a user first logs in with their AD account to install the keychain and start the encryption.

@roiegat,

I'd encourage you to check out the Administering FileVault 2 with the Casper Suite documentation that JAMF has posted. It should give you an idea of what's possible when using Casper to manage FileVault 2 encryption:

http://www.jamfsoftware.com/resources/administering-filevault-2-with-the-casper-suite/

@nkalister @nkalister I thought I saw that JAMF put some of the newer filevault tools that came along with Mavericks into 8.73 for those that were not going to 9.x, but now that I'm going over the filevault documentation again, on the page that @rtrouton linked to, I can see that is not the case. I apologize for that confusion.