Posted on 12-08-2015 08:28 AM
Hello,
I have a few MBAs and MBPs in my JSS with encryption enabled. However it looks like FileVault is
only encrypting the Boot Partition and not the Recovery Partition. Therefore, I cannot grab the recovery key from the Management tab. Any ideas why this is happening or how I can fix it?
Thanks in advance!
Posted on 12-08-2015 08:31 AM
FileVault never encrypts the Recovery HD, only the main partition. if it did, you wouldn't be able to Command+R boot into it in the event of an issue with the Mac. If you aren't seeing the Recovery keys being escrowed, there are likely other causes. Some of these might be:
Your Disk Encryption configuration isn't set up correctly
Your Macs are not submitting inventory at the end of the encryption policy (after they reboot)
BTW, I know it sounds misleading to call FileVault "full disk encryption" when one of the required partitions to even use it remains unencrypted, but that's how it works.
Posted on 12-08-2015 09:21 AM
Thanks for that information. It really cleared up a lot. So I guess the next question is what is the issue with my Disk Encryption Configuration or why aren't my machine submitting inventory at the end. I'll look into that and post my findings.
Thanks!
Posted on 12-08-2015 09:42 AM
Ok, so here's the thing. You may have an inventory collection happening at the end of your disk encryption configuration push, but its not occurring at the right time most likely. If you've got it set up so the user enters their password at logout to enable encryption, the Mac reboots right after, so there's no way a policy will be able to collect inventory before the reboot. What you need to do is target those Macs with an inventory collection at reboot or at login, or something like that. This can get a little complicated, especially when talking about Macs that may not be hardwired into an Ethernet jack. They may not have network connectivity by the time the inventory collection tries to run.
We got around this with a package install that rode along with the encryption policy that would install a LaunchDaemon that ran a script. The script would check for the network, and if not available, would exit until next run. A StartInterval key in the LaunchDaemon runs it every 5 minutes. Once it has a valid network connection and can see the JSS, it collects inventory, then disables itself so it won't keep running. The Recovery Key to my knowledge, gets stored in a plist file locally on the Mac as part of the disk encryption config. The next inventory collection sees that and scoops it up into the db, then removes the plist from disk. At that point, the Recovery key should show up in your JSS. This is all assuming there isn't anything wrong with your original Disk Encryption config.