FileVault with Big Sur & Jamf 10.25.1 (maybe 10.26)

walt
Contributor III

I am looking for proper workflows to enable FileVault with Big Sur.

Are there any new changes in 10.26 regarding FileVault configuration (current process seems very archaic)

I currently use the FileVault process form the Jamf Admin's Guide and that works with 10.15 and so far with macOS 11

Another concern is escrowing filevault keys that may not have been escrowed in jamf, the Jamf FileVault escrow script works in 10.15 but not in any tests with macOS 11, is there an update to this?

24 REPLIES 24

ddonald
New Contributor

I can confirm the escrow script that works up through 10.15.7 does not work now in 11.0.

Heavy_D
Contributor III

Not sure if this helps but it did for me:
FileVault, SecureToken and Bootstrap in macOS 11.0.1 Big Sur

mnickels
New Contributor III

I tested this on my end and it looks like the script does work for me. I had to alter the logic to account for Big Sur being version 11, as the default logic puts version 11 in a "hey you're not version 10.x!" bucket.

I ended up removing all the version logic because all of my devices are version 10.14+ and this seems to work fine on Big Sur.

LangStefan
New Contributor III

With some minor changes in the escrow-script it works fine for me. - change the conditions for the new macOS version
- set a custom icon, as the old default FV-icon does not exist anymore

hapi_mb_001
New Contributor

@LangStefan Fo you have a copy of your script? I have a staff member who upgraded to Big Sur before onboarding to Jamf and I have to update scripting for FilaVault escrow.

Kishan_H
New Contributor II

Hi @LangStefan Can you kindly share your script with me please? FV key escrow has worked for me up to 10.15.7, but with 11.0 it does not. I'm actually using Jamf's configuration profile to do this escrow but doesn't work on 11.0

balaji1373
New Contributor

I tested on Big Sur for re-issue a recovery key and its working for me.

I taken this scripts from https://github.com/homebysix/jss-filevault-reissue/blob/master/reissue_filevault_recovery_key.sh

!/bin/bash

#

Name: reissue_filevault_recovery_key.sh

Description: This script is intended to run on Macs which no longer have

a valid recovery key in the JSS. It prompts users to enter

their Mac password, and uses this password to generate a

new FileVault key and escrow with the JSS. The "redirect

FileVault keys to JSS" configuration profile must already

be deployed in order for this script to work correctly.

Author: Elliot Jordan <elliot@elliotjordan.com>

Created: 2015-01-05

Last Modified: 2020-12-04

Version: 1.9.8

################################## VARIABLES ###############################

(Optional) Path to a logo that will be used in messaging. Recommend 512px,

PNG format. If no logo is provided, the FileVault icon will be used.

LOGO=""

The title of the message that will be displayed to the user.

Not too long, or it'll get clipped.

PROMPT_TITLE="Encryption Key Escrow"

The body of the message that will be displayed before prompting the user for

their password. All message strings below can be multiple lines.

PROMPT_MESSAGE="Your Mac's FileVault encryption key needs to be escrowed by YOUR COMPANY NAME
Click the Next button below, then enter your Mac's password when prompted."

The body of the message that will be displayed after 5 incorrect passwords.

FORGOT_PW_MESSAGE="You made five incorrect password attempts.
Please contact the Help Desk at 555-1212 for help with your Mac password."

The body of the message that will be displayed after successful completion.

SUCCESS_MESSAGE="Thank you! Your FileVault key has been escrowed."

The body of the message that will be displayed if a failure occurs.

FAIL_MESSAGE="Sorry, an error occurred while escrowing your FileVault key. Please contact the Help Desk at 555-1212 for help."

Optional but recommended: The profile identifiers of the FileVault Key

Redirection profiles (e.g. ABCDEF12-3456-7890-ABCD-EF1234567890).

PROFILE_IDENTIFIER_10_12="" # 10.12 and earlier
PROFILE_IDENTIFIER_10_13="CA843A15-E86C-4E45-8D51-27D8F68C6249" # 10.13 and later

###################################################################
################### DO NOT EDIT BELOW THIS LINE ###################
###################################################################
################## VALIDATION AND ERROR CHECKING ##################

Suppress errors for the duration of this script. (This prevents JAMF Pro from

marking a policy as "failed" if the words "fail" or "error" inadvertently

appear in the script output.)

exec 2>/dev/null

BAILOUT=false

Make sure we have root privileges (for fdesetup).

if [[ $EUID -ne 0 ]]; then REASON="This script must run as root." BAILOUT=true
fi

Check for remote users.

REMOTE_USERS=$(/usr/bin/who | /usr/bin/grep -Eo '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' | wc -l)
if [[ $REMOTE_USERS -gt 0 ]]; then REASON="Remote users are logged in." BAILOUT=true
fi

Bail out if jamfHelper doesn't exist.

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
if [[ ! -x "$jamfHelper" ]]; then REASON="jamfHelper not found." BAILOUT=true
fi

Most of the code below is based on the JAMF reissueKey.sh script:

https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh

Check the OS version.

OS_MAJOR=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}')
OS_MINOR=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $2}')
if [[ "$OS_MAJOR" -eq 11 ]] || [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -eq 16 ]]; then echo "[WARNING] This script has not been tested on macOS Big Sur. Use at your own risk."
elif [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -lt 9 ]]; then REASON="This script requires macOS 10.9 or higher. This Mac has $(/usr/bin/sw_vers -productVersion)." BAILOUT=true
fi

Check to see if the encryption process is complete

FV_STATUS="$(/usr/bin/fdesetup status)"
if /usr/bin/grep -q "Encryption in progress" <<< "$FV_STATUS"; then REASON="FileVault encryption is in progress. Please run the script again when it finishes." BAILOUT=true
elif /usr/bin/grep -q "FileVault is Off" <<< "$FV_STATUS"; then REASON="Encryption is not active." BAILOUT=true
elif ! /usr/bin/grep -q "FileVault is On" <<< "$FV_STATUS"; then REASON="Unable to determine encryption status." BAILOUT=true
fi

Get the logged in user's name

CURRENT_USER=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}')

Make sure there's an actual user logged in

if [[ -z $CURRENT_USER || "$CURRENT_USER" == "root" ]]; then REASON="No user is currently logged in." BAILOUT=true
else # Make sure logged in account is already authorized with FileVault 2 FV_USERS="$(/usr/bin/fdesetup list)" if ! /usr/bin/grep -E -q "^${CURRENT_USER}," <<< "$FV_USERS"; then REASON="$CURRENT_USER is not on the list of FileVault enabled users: $FV_USERS" BAILOUT=true fi
fi

If specified, the FileVault key redirection profile needs to be installed.

if [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -le 12 ]]; then if [[ "$PROFILE_IDENTIFIER_10_12" != "" ]]; then if ! /usr/bin/profiles -Cv | /usr/bin/grep -q "profileIdentifier: $PROFILE_IDENTIFIER_10_12"; then REASON="The FileVault Key Redirection profile is not yet installed." BAILOUT=true fi fi
elif [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -gt 12 ]]; then if [[ "$PROFILE_IDENTIFIER_10_13" != "" ]]; then if ! /usr/bin/profiles -Cv | /usr/bin/grep -q "profileIdentifier: $PROFILE_IDENTIFIER_10_13"; then REASON="The FileVault Key Redirection profile is not yet installed." BAILOUT=true fi fi
fi

########################## MAIN PROCESS ###########################

Validate logo file. If no logo is provided or if the file cannot be found at

specified path, default to the FileVault icon.

if [[ -z "$LOGO" ]] || [[ ! -f "$LOGO" ]]; then /bin/echo "No logo provided, or no logo exists at specified path. Using FileVault icon." LOGO="/System/Library/PreferencePanes/Security.prefPane/Contents/Resources/FileVault.icns"
fi

Convert POSIX path of logo icon to Mac path for AppleScript.

LOGO_POSIX="$(/usr/bin/osascript -e 'tell application "System Events" to return POSIX file "'"$LOGO"'" as text')"

Get information necessary to display messages in the current user's context.

USER_ID=$(/usr/bin/id -u "$CURRENT_USER")
if [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -le 9 ]]; then L_ID=$(/usr/bin/pgrep -x -u "$USER_ID" loginwindow) L_METHOD="bsexec"
elif [[ "$OS_MAJOR" -eq 11 ]] || [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -gt 9 ]]; then L_ID=$USER_ID L_METHOD="asuser"
fi

If any error occurred in the validation section, bail out.

if [[ "$BAILOUT" == "true" ]]; then echo "[ERROR]: $REASON" launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FAIL_MESSAGE: $REASON" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null & exit 1
fi

Display a branded prompt explaining the password prompt.

echo "Alerting user $CURRENT_USER about incoming password prompt..."
/bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$PROMPT_MESSAGE" -button1 "Next" -defaultButton 1 -startlaunchd &>/dev/null

Get the logged in user's password via a prompt.

echo "Prompting $CURRENT_USER for their Mac password..."
USER_PASS="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

Thanks to James Barclay (@futureimperfect) for this password validation loop.

TRY=1
until /usr/bin/dscl /Search -authonly "$CURRENT_USER" "$USER_PASS" &>/dev/null; do (( TRY++ )) echo "Prompting $CURRENT_USER for their Mac password (attempt $TRY)..." USER_PASS="$(/bin/launchctl "$L_METHOD" "$L_ID" /usr/bin/osascript -e 'display dialog "Sorry, that password was incorrect. Please try again:" default answer "" with title "'"${PROMPT_TITLE//"/\"}"'" giving up after 86400 with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${LOGO_POSIX//"/\"}"'"' -e 'return text returned of result')" if (( TRY >= 5 )); then echo "[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message..." /bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FORGOT_PW_MESSAGE" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null & exit 1 fi
done
echo "Successfully prompted for Mac password."

If needed, unload and kill FDERecoveryAgent.

if /bin/launchctl list | /usr/bin/grep -q "com.apple.security.FDERecoveryAgent"; then echo "Unloading FDERecoveryAgent LaunchDaemon..." /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist
fi
if pgrep -q "FDERecoveryAgent"; then echo "Stopping FDERecoveryAgent process..." killall "FDERecoveryAgent"
fi

Translate XML reserved characters to XML friendly representations.

USER_PASS=${USER_PASS//&/&amp;}
USER_PASS=${USER_PASS//</&lt;}
USER_PASS=${USER_PASS//>/&gt;}
USER_PASS=${USER_PASS//"/&quot;}
USER_PASS=${USER_PASS//'/&apos;}

For 10.13's escrow process, store the last modification time of /var/db/FileVaultPRK.dat

if [[ "$OS_MINOR" -ge 13 ]]; then echo "Checking for /var/db/FileVaultPRK.dat on macOS 10.13+..." PRK_MOD=0 if [ -e "/var/db/FileVaultPRK.dat" ]; then echo "Found existing personal recovery key." PRK_MOD=$(/usr/bin/stat -f "%Sm" -t "%s" "/var/db/FileVaultPRK.dat") fi
fi

echo "Issuing new recovery key..."
FDESETUP_OUTPUT="$(/usr/bin/fdesetup changerecovery -norecoverykey -verbose -personal -inputplist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>Username</key> <string>$CURRENT_USER</string> <key>Password</key> <string>$USER_PASS</string>
</dict>
</plist>
EOF
)"

Test success conditions.

FDESETUP_RESULT=$?

Clear password variable.

unset USER_PASS

Differentiate <=10.12 and >=10.13 success conditions

if [[ "$OS_MAJOR" -ge 11 ]] || [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -gt 9 ]]; then # Check new modification time of of FileVaultPRK.dat ESCROW_STATUS=1 if [ -e "/var/db/FileVaultPRK.dat" ]; then NEW_PRK_MOD=$(/usr/bin/stat -f "%Sm" -t "%s" "/var/db/FileVaultPRK.dat") if [[ $NEW_PRK_MOD -gt $PRK_MOD ]]; then ESCROW_STATUS=0 echo "Recovery key updated locally and available for collection via MDM. (This usually requires two 'jamf recon' runs to show as valid.)" else echo "[WARNING] The recovery key does not appear to have been updated locally." fi fi
else # Check output of fdesetup command for indication of an escrow attempt /usr/bin/grep -q "Escrowing recovery key..." <<< "$FDESETUP_OUTPUT" ESCROW_STATUS=$?
fi

if [[ $FDESETUP_RESULT -ne 0 ]]; then [[ -n "$FDESETUP_OUTPUT" ]] && echo "$FDESETUP_OUTPUT" echo "[WARNING] fdesetup exited with return code: $FDESETUP_RESULT." echo "See this page for a list of fdesetup exit codes and their meaning:" echo "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/fdesetup.8.html" echo "Displaying "failure" message..." /bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FAIL_MESSAGE: fdesetup exited with code $FDESETUP_RESULT. Output: $FDESETUP_OUTPUT" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
elif [[ $ESCROW_STATUS -ne 0 ]]; then [[ -n "$FDESETUP_OUTPUT" ]] && echo "$FDESETUP_OUTPUT" echo "[WARNING] FileVault key was generated, but escrow cannot be confirmed. Please verify that the redirection profile is installed and the Mac is connected to the internet." echo "Displaying "failure" message..." /bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FAIL_MESSAGE: New key generated, but escrow did not occur." -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
else [[ -n "$FDESETUP_OUTPUT" ]] && echo "$FDESETUP_OUTPUT" echo "Displaying "success" message..." /bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$SUCCESS_MESSAGE" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
fi

exit $FDESETUP_RESULT

snowfox
Contributor III

I don't use a script, I just use the Jamf config under security & privacy.
Works fine under 10.15 & 11.0
I only use PRK escrow so that every machine has a different PRK (I avoid the IRK).
Apple are pushing more and more for config of services via MDM so that's the way I've gone.
No script required.
My only gripe with Jamfs config is that it will prompt to add your username to filevault during logout without ever forcing the user to do it. I've seen this option available in profile managers filevault config options - force adding username to filevault after so many times cancelled by user. So Jamf could add this to their config if they wanted.

allanp81
Valued Contributor

I'm struggling with Filevault via policy on Big Sur on Intel silicon.

It says it's applied it, on logout I get the notification to say filevault has been enabled and then to authenticate but then it fails just saying their was a problem and no more details.

Jamf records the recovery keys in inventory though, so it's partially working and "fdesetup status" from the terminal says a master keychain has been installed and the deferred enablement is active for the current user.

Rukongai
New Contributor

@snowfox

The script is for re-issuing FileVault keys if the PRK is invalid for any reason.

It's a very handy thing to have in your toolkit!

EUC600
New Contributor III

Seems the link for the script on GitHub has changed. I found it here and confirmed the script does work.
https://github.com/homebysix/jss-filevault-reissue/blob/main/reissue_filevault_recovery_key.sh

scottb
Honored Contributor

@EUC600 - I'm just starting to test this process again under BS, and thus far, it's not working. It appears to work based on the UI on the Mac (intel) but it shows as failed on the Jamf cloud server logs. "Authentication failed" is the error, even though the password is accepted and is correct. Could you show me your setup? I'm happy to post mine as well...pretty much what is on the page, but something must be off. *POSSIBLE that the BS beta I'm on is the cause, but I don't think so...

sanbornc
New Contributor III

Hello All! Can someone tell me if Im doing this right? I am using the script from GitHub and/or the script posted by @balaji1373 to escrow a key. Im on BS 11.3. Is there anything else Im supposed to do when deploying this other then making sure the Escrow config profiles are on the Macs, and uploading the script to JAMF and running it as Self Service policy? Thats literally all Im doing. I have no other items enabled in the policy, just customized the script and am running it as a Self Service Policy. Currently the policy runs and I get to the screen where it says "Your Mac's FileVault encryption key needs to be escrowed by .
Click the Next button below, then enter your Mac's Login password when prompted". When I click the NExt button, it responds immediatly with "You made five incorrect password attempts.
Please contact
for assistance." I never even got the prompt for the log in password. It just tried some password 5 times and failed I guess??? The only thing I can think of is on the GitHub page it says "Use both launchctl and sudo -u to run in user context". What does this mean? Is there something else Im supposed to be enabling in the policy that Im not? Thanks for the help!

Jamftechelp
New Contributor II

When i enable FileVault using following command on BigSur , getting an error "A problem occurred while trying to enable FileVault. (-69594)".
sudo fdesetup enable -user $username -password -$userpassword.

Anyone come cross this error ? Please suggest

Bia
New Contributor III

I followed this document creating the configuration profile (for escrow) and the policy (to deploy), and it works like a charm for all my Macs that never had FileVault 2 turned on yet. They are all M1 Macs operating macOS Big Sur. No script was needed. Our decision was Personal Recovery Key. Administering FileVault on macOS 10.14 or Later with Jamf Pro 

The issue I'm coming across is that with a switch from Jamf Now to Jamf Pro, half of the Mac fleet already had FileVault 2 enabled in Jamf Now (I was not part of the transition). They show FV2 is enabled in Jamf Pro but they have an 'unknown' recovery key. I need to re-issue a new Personal/Individual Recovery Key for these Macs in Jamf Pro and of course escrow it. The policy to re-issue a RK alone does not work for this scenario. Wondering if I have to turn FV off on these Macs and then turn it back on. The script mentioned above in previous comments is not an option for me because it highlights at the top, "The 'redirect FileVault keys to JSS' configuration profile must already be deployed in order for this script to work correctly". The 'Configure FileVault Recovery Key Redirection' payload in Jamf Pro highlights to use this section to define settings for FileVault recovery key redirection (macOS 10.9–10.12 only) which sadly does not work for Big Sur. Any input or advice on the scenario is appreciated.

Hi @Bia, the link you provided appears to be invalid.

I am also running into the issue where is doesn't prompt for a password and it errors out

Script result: [WARNING] This script has not been tested on macOS Big Sur. Use at your own risk.
No logo provided, or no logo exists at specified path. Using FileVault icon.
Alerting user johntest about incoming password prompt...
Prompting johntest for their Mac password...
Prompting johntest for their Mac password (attempt 2)...
Prompting johntest for their Mac password (attempt 3)...
Prompting johntest for their Mac password (attempt 4)...
Prompting johntest for their Mac password (attempt 5)...
[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message...

Seeing if I can find where I can change the script to fix this, I will let everyone know if I can.. But also open to suggestions.

scottb
Honored Contributor

@jlombardo - try this Jamf script.  I've been using it successfully.

Reissue Key 

Yes I just found this!  I was going to past the link here, but you have... It worked like a charm

Bia
New Contributor III

Hi @jlombardo, I believe you found resolution but sorry about that link. It looks like it has been updated Administering FileVault on macOS 10.14 or Later with Jamf Pro . I followed those steps for the endpoints that weren't encrypted yet. For the Macs that were already encrypted before being enrolled in Jamf Pro, I re-issued a personal recovery key using this script reissue_filevault_recovery_key . Both have been working great!

jlombardo
Contributor

I am putting the Configuration Profile in place that redirects the newly generated FV key to Jamf, but on 95 percent of machines I am getting this error:

 

A profile with a “FileVault Recovery Key Escrow” payload is already installed on the system

 

The payload has definitely never been installed on these systems, and this error appears on multiple OS's.  Has anyone else experienced this?

scottb
Honored Contributor

More than likely another payload with FV2 is in there...one good reason to keep many Profiles instead of a monolithic Profile with lots of settings (not saying you did this).

Doesn't have to be the same setup, just another profile with FV2 settings is what you're looking for. 

Would bet dinner and beers on it!

You win!

It was already in my FV configuration profile.  I do have 1 rule per config policy, it is good practice!

scottb
Honored Contributor

I know - been there!  That's why I posted...trying to find these things can be a PITA 🙂 

elliotjordan
Contributor III

Hi folks! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!