Help

FileVault config and storing the key in JSS

dmitchell
Contributor

Posted on ‎07-25-2018 07:37 AM

I have been tasked with enabling Firevault on our Macs, for some reason we didn't enable this to begin with but now I need to do it, at least for new Macs going forward.

I created a config profile and tested on Mac, it worked fine when I logged out the user account however it's not writing the key to JSS. I thought I may have screwed up, I didn't use an institutional key.

So what is the proper way to setup FileVault to have it write the key to JSS?

We are running the latest JSS and this will refer to 10.13 machines only

10 REPLIES 10

mkolb
Contributor

Posted on ‎07-25-2018 07:39 AM

Hi,

I think you won't be able to deactive FileVault as long as it has not been done activating it. So maybe it takes some time, depending on the size of the volume.

Regarding the reporting is the question which version of the JSS are you using and which version of macOS is running on the client? There were some changes with macOS 10.13.

Greetings,
Marco

0 Kudos

dmitchell
Contributor

Posted on ‎07-25-2018 07:45 AM

Oh damn, I forgot that info. @mkolb latest JSS, 10.13 Macs. The Mac I tested on sat there for 15 hours or so, drive was encrypted but no key written to JSS. Deactivating issue was me not paying attention. I didn't unlock the preference pane to turn off FileVault, I am good now as far as deactivating does.

0 Kudos

mkolb
Contributor

Posted on ‎07-25-2018 07:49 AM

No problem.

With 10.13. it can be a little confusing as the "FileVault Recovery Key Redirection" payload in the configuration profile DOES NOT WORK!

Instead you have to use the Security & Privacy payload. At "File Vault" you can find an option called "Enable Escrow Personal Recovery Key". This is what you need. Enter the URL of the JSS and it should work.

Hope this helps with the reporting issue!

dmitchell
Contributor

Posted on ‎07-25-2018 07:57 AM

@mkolb cdb48e0136bc40ab97ce043ae0f3db57

Where do I put the jss url? Those fields are just descriptions aren't they?

Also do you know what happens with machines where FileVault is already enabled? Can the JSS grab the key or is there a way to pull the info?

0 Kudos

mkolb
Contributor

Posted on ‎07-25-2018 07:59 AM

You enter the JSS URL in the "Escrow Location Description" field. And yes, it should also work to get the key if FileVault is already enabled.

dmitchell
Contributor

Posted on ‎07-25-2018 08:00 AM

Actually I see the key stored in the management tab now. That was strange. I guess I did have it setup right, but I still don't see a place to add the JSS URL

0 Kudos

dmitchell
Contributor

Posted on ‎07-25-2018 08:01 AM

@mkolb Thanks! I should be good now.

mkolb
Contributor

Posted on ‎07-25-2018 08:03 AM

Okay .. my bad. Should have read the tiny text more carefully :P

OF COURSE it will get stored inside the JSS the configuration profile got pushed from..

What you enter in this field is just the text, that get's shown to the user when FileVault gets enabled. Something like "Your trusty IT Department" and then the user would get a message like "Your FileVault recovery key will be stored at Your trusty IT Department".

So yes.. should work to report no matter what you enter there... sorry for the misunderstanding!

scottb
Honored Contributor

Posted on ‎07-25-2018 11:04 AM

You may need to run a recon to get the keys. I've found that to be the case after the Profile/Policy has been deployed.

phredman
New Contributor III

Posted on ‎05-02-2019 06:49 AM

you ever create the config profile and test and test and get nowhere, then realize you forgot to add the scope? Asking for a friend.

0 Kudos