Jamf Nation Community

chad_fox · ‎03-30-2016

Is anyone using the "specified URL" option for Recovery Keys? If so, what method are you using?

We are trying to determine the best way to store keys outside of the JSS. We don't want all of the HelpDesk techs to be able to download a .txt file with the Recovery Key included.

mm2270 · ‎03-30-2016

I think most people use that to redirect the Recovery key to their JSS. That's what we use it for. One purpose of the key redirection functionality is to ensure that if a user manually enables FileVault 2 on their Mac by going into System Preferences > Security & Privacy > FileVault, that Casper will still get the Recovery key escrowed to it. There's no more sinking of a feeling than finding out that someone who forgot their FV2 login password doesn't have a Recovery key escrowed for their Mac. If that account is the only one that can unlock the Mac at boot time, all data is lost on the device since there's literally no other way in (well, assuming you don't have an Institutional Master recovery keychain)

EDIT: I do realize that you specifically are looking to redirect to some external URL. I'm just not sure what would be best in this case. I assume the keys are not in any encrypted format, which, as you mentioned, seems like a security concern. I wonder if anyone is using some kind of database to redirect them to that has granular field permissions options.

merps · ‎03-30-2016

We're not using it, but I've seen a project using Google App Engine (I think) called Cauliflower Vest.

Cauliflower Vest

chad_fox · ‎03-30-2016

I could have sworn the last time I went to view a recovery key it downloaded a text file with the key included. Right now when I went to check I noticed this:

Looks like we'll keep the JSS option for storage and keep things easy.

Thanks for the responses.

Jamf Nation Community

FileVault Recovery Key Redirection