Posted on 11-06-2020 02:48 PM
I am looking for proper workflows to enable FileVault with Big Sur.
Are there any new changes in 10.26 regarding FileVault configuration (current process seems very archaic)
I currently use the FileVault process form the Jamf Admin's Guide and that works with 10.15 and so far with macOS 11
Another concern is escrowing filevault keys that may not have been escrowed in jamf, the Jamf FileVault escrow script works in 10.15 but not in any tests with macOS 11, is there an update to this?
Posted on 11-17-2020 08:47 AM
I can confirm the escrow script that works up through 10.15.7 does not work now in 11.0.
Posted on 11-17-2020 12:13 PM
Not sure if this helps but it did for me:
FileVault, SecureToken and Bootstrap in macOS 11.0.1 Big Sur
Posted on 11-18-2020 05:41 AM
I tested this on my end and it looks like the script does work for me. I had to alter the logic to account for Big Sur being version 11, as the default logic puts version 11 in a "hey you're not version 10.x!" bucket.
I ended up removing all the version logic because all of my devices are version 10.14+ and this seems to work fine on Big Sur.
Posted on 11-18-2020 09:08 AM
With some minor changes in the escrow-script it works fine for me.
- change the conditions for the new macOS version
- set a custom icon, as the old default FV-icon does not exist anymore
Posted on 12-03-2020 05:48 PM
@LangStefan Fo you have a copy of your script? I have a staff member who upgraded to Big Sur before onboarding to Jamf and I have to update scripting for FilaVault escrow.
Posted on 12-07-2020 03:22 AM
Hi @LangStefan Can you kindly share your script with me please? FV key escrow has worked for me up to 10.15.7, but with 11.0 it does not. I'm actually using Jamf's configuration profile to do this escrow but doesn't work on 11.0
Posted on 12-07-2020 03:29 AM
I tested on Big Sur for re-issue a recovery key and its working for me.
I taken this scripts from https://github.com/homebysix/jss-filevault-reissue/blob/master/reissue_filevault_recovery_key.sh
LOGO=""
PROMPT_TITLE="Encryption Key Escrow"
PROMPT_MESSAGE="Your Mac's FileVault encryption key needs to be escrowed by YOUR COMPANY NAME
Click the Next button below, then enter your Mac's password when prompted."
FORGOT_PW_MESSAGE="You made five incorrect password attempts.
Please contact the Help Desk at 555-1212 for help with your Mac password."
SUCCESS_MESSAGE="Thank you! Your FileVault key has been escrowed."
FAIL_MESSAGE="Sorry, an error occurred while escrowing your FileVault key. Please contact the Help Desk at 555-1212 for help."
PROFILE_IDENTIFIER_10_12="" # 10.12 and earlier
PROFILE_IDENTIFIER_10_13="CA843A15-E86C-4E45-8D51-27D8F68C6249" # 10.13 and later
exec 2>/dev/null
BAILOUT=false
if [[ $EUID -ne 0 ]]; then
REASON="This script must run as root."
BAILOUT=true
fi
REMOTE_USERS=$(/usr/bin/who | /usr/bin/grep -Eo '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' | wc -l)
if [[ $REMOTE_USERS -gt 0 ]]; then
REASON="Remote users are logged in."
BAILOUT=true
fi
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
if [[ ! -x "$jamfHelper" ]]; then
REASON="jamfHelper not found."
BAILOUT=true
fi
OS_MAJOR=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}')
OS_MINOR=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $2}')
if [[ "$OS_MAJOR" -eq 11 ]] || [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -eq 16 ]]; then
echo "[WARNING] This script has not been tested on macOS Big Sur. Use at your own risk."
elif [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -lt 9 ]]; then
REASON="This script requires macOS 10.9 or higher. This Mac has $(/usr/bin/sw_vers -productVersion)."
BAILOUT=true
fi
FV_STATUS="$(/usr/bin/fdesetup status)"
if /usr/bin/grep -q "Encryption in progress" <<< "$FV_STATUS"; then
REASON="FileVault encryption is in progress. Please run the script again when it finishes."
BAILOUT=true
elif /usr/bin/grep -q "FileVault is Off" <<< "$FV_STATUS"; then
REASON="Encryption is not active."
BAILOUT=true
elif ! /usr/bin/grep -q "FileVault is On" <<< "$FV_STATUS"; then
REASON="Unable to determine encryption status."
BAILOUT=true
fi
CURRENT_USER=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}')
if [[ -z $CURRENT_USER || "$CURRENT_USER" == "root" ]]; then
REASON="No user is currently logged in."
BAILOUT=true
else
# Make sure logged in account is already authorized with FileVault 2
FV_USERS="$(/usr/bin/fdesetup list)"
if ! /usr/bin/grep -E -q "^${CURRENT_USER}," <<< "$FV_USERS"; then
REASON="$CURRENT_USER is not on the list of FileVault enabled users: $FV_USERS"
BAILOUT=true
fi
fi
if [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -le 12 ]]; then
if [[ "$PROFILE_IDENTIFIER_10_12" != "" ]]; then
if ! /usr/bin/profiles -Cv | /usr/bin/grep -q "profileIdentifier: $PROFILE_IDENTIFIER_10_12"; then
REASON="The FileVault Key Redirection profile is not yet installed."
BAILOUT=true
fi
fi
elif [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -gt 12 ]]; then
if [[ "$PROFILE_IDENTIFIER_10_13" != "" ]]; then
if ! /usr/bin/profiles -Cv | /usr/bin/grep -q "profileIdentifier: $PROFILE_IDENTIFIER_10_13"; then
REASON="The FileVault Key Redirection profile is not yet installed."
BAILOUT=true
fi
fi
fi
if [[ -z "$LOGO" ]] || [[ ! -f "$LOGO" ]]; then
/bin/echo "No logo provided, or no logo exists at specified path. Using FileVault icon."
LOGO="/System/Library/PreferencePanes/Security.prefPane/Contents/Resources/FileVault.icns"
fi
LOGO_POSIX="$(/usr/bin/osascript -e 'tell application "System Events" to return POSIX file "'"$LOGO"'" as text')"
USER_ID=$(/usr/bin/id -u "$CURRENT_USER")
if [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -le 9 ]]; then
L_ID=$(/usr/bin/pgrep -x -u "$USER_ID" loginwindow)
L_METHOD="bsexec"
elif [[ "$OS_MAJOR" -eq 11 ]] || [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -gt 9 ]]; then
L_ID=$USER_ID
L_METHOD="asuser"
fi
if [[ "$BAILOUT" == "true" ]]; then
echo "[ERROR]: $REASON"
launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FAIL_MESSAGE: $REASON" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
exit 1
fi
echo "Alerting user $CURRENT_USER about incoming password prompt..."
/bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$PROMPT_MESSAGE" -button1 "Next" -defaultButton 1 -startlaunchd &>/dev/null
echo "Prompting $CURRENT_USER for their Mac password..."
USER_PASS="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
TRY=1
until /usr/bin/dscl /Search -authonly "$CURRENT_USER" "$USER_PASS" &>/dev/null; do
(( TRY++ ))
echo "Prompting $CURRENT_USER for their Mac password (attempt $TRY)..."
USER_PASS="$(/bin/launchctl "$L_METHOD" "$L_ID" /usr/bin/osascript -e 'display dialog "Sorry, that password was incorrect. Please try again:" default answer "" with title "'"${PROMPT_TITLE//"/\"}"'" giving up after 86400 with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${LOGO_POSIX//"/\"}"'"' -e 'return text returned of result')"
if (( TRY >= 5 )); then
echo "[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message..."
/bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FORGOT_PW_MESSAGE" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
exit 1
fi
done
echo "Successfully prompted for Mac password."
if /bin/launchctl list | /usr/bin/grep -q "com.apple.security.FDERecoveryAgent"; then
echo "Unloading FDERecoveryAgent LaunchDaemon..."
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist
fi
if pgrep -q "FDERecoveryAgent"; then
echo "Stopping FDERecoveryAgent process..."
killall "FDERecoveryAgent"
fi
USER_PASS=${USER_PASS//&/&}
USER_PASS=${USER_PASS//</<}
USER_PASS=${USER_PASS//>/>}
USER_PASS=${USER_PASS//"/"}
USER_PASS=${USER_PASS//'/'}
if [[ "$OS_MINOR" -ge 13 ]]; then
echo "Checking for /var/db/FileVaultPRK.dat on macOS 10.13+..."
PRK_MOD=0
if [ -e "/var/db/FileVaultPRK.dat" ]; then
echo "Found existing personal recovery key."
PRK_MOD=$(/usr/bin/stat -f "%Sm" -t "%s" "/var/db/FileVaultPRK.dat")
fi
fi
echo "Issuing new recovery key..."
FDESETUP_OUTPUT="$(/usr/bin/fdesetup changerecovery -norecoverykey -verbose -personal -inputplist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>$CURRENT_USER</string>
<key>Password</key>
<string>$USER_PASS</string>
</dict>
</plist>
EOF
)"
FDESETUP_RESULT=$?
unset USER_PASS
if [[ "$OS_MAJOR" -ge 11 ]] || [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -gt 9 ]]; then
# Check new modification time of of FileVaultPRK.dat
ESCROW_STATUS=1
if [ -e "/var/db/FileVaultPRK.dat" ]; then
NEW_PRK_MOD=$(/usr/bin/stat -f "%Sm" -t "%s" "/var/db/FileVaultPRK.dat")
if [[ $NEW_PRK_MOD -gt $PRK_MOD ]]; then
ESCROW_STATUS=0
echo "Recovery key updated locally and available for collection via MDM. (This usually requires two 'jamf recon' runs to show as valid.)"
else
echo "[WARNING] The recovery key does not appear to have been updated locally."
fi
fi
else
# Check output of fdesetup command for indication of an escrow attempt
/usr/bin/grep -q "Escrowing recovery key..." <<< "$FDESETUP_OUTPUT"
ESCROW_STATUS=$?
fi
if [[ $FDESETUP_RESULT -ne 0 ]]; then
[[ -n "$FDESETUP_OUTPUT" ]] && echo "$FDESETUP_OUTPUT"
echo "[WARNING] fdesetup exited with return code: $FDESETUP_RESULT."
echo "See this page for a list of fdesetup exit codes and their meaning:"
echo "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/fdesetup.8.html"
echo "Displaying "failure" message..."
/bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FAIL_MESSAGE: fdesetup exited with code $FDESETUP_RESULT. Output: $FDESETUP_OUTPUT" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
elif [[ $ESCROW_STATUS -ne 0 ]]; then
[[ -n "$FDESETUP_OUTPUT" ]] && echo "$FDESETUP_OUTPUT"
echo "[WARNING] FileVault key was generated, but escrow cannot be confirmed. Please verify that the redirection profile is installed and the Mac is connected to the internet."
echo "Displaying "failure" message..."
/bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FAIL_MESSAGE: New key generated, but escrow did not occur." -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
else
[[ -n "$FDESETUP_OUTPUT" ]] && echo "$FDESETUP_OUTPUT"
echo "Displaying "success" message..."
/bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$SUCCESS_MESSAGE" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
fi
exit $FDESETUP_RESULT
Posted on 12-07-2020 04:33 AM
I don't use a script, I just use the Jamf config under security & privacy.
Works fine under 10.15 & 11.0
I only use PRK escrow so that every machine has a different PRK (I avoid the IRK).
Apple are pushing more and more for config of services via MDM so that's the way I've gone.
No script required.
My only gripe with Jamfs config is that it will prompt to add your username to filevault during logout without ever forcing the user to do it. I've seen this option available in profile managers filevault config options - force adding username to filevault after so many times cancelled by user. So Jamf could add this to their config if they wanted.
Posted on 01-07-2021 06:53 AM
I'm struggling with Filevault via policy on Big Sur on Intel silicon.
It says it's applied it, on logout I get the notification to say filevault has been enabled and then to authenticate but then it fails just saying their was a problem and no more details.
Jamf records the recovery keys in inventory though, so it's partially working and "fdesetup status" from the terminal says a master keychain has been installed and the deferred enablement is active for the current user.
Posted on 01-08-2021 10:16 AM
The script is for re-issuing FileVault keys if the PRK is invalid for any reason.
It's a very handy thing to have in your toolkit!
Posted on 01-13-2021 08:11 AM
Seems the link for the script on GitHub has changed. I found it here and confirmed the script does work.
https://github.com/homebysix/jss-filevault-reissue/blob/main/reissue_filevault_recovery_key.sh
Posted on 01-13-2021 11:09 AM
@EUC600 - I'm just starting to test this process again under BS, and thus far, it's not working. It appears to work based on the UI on the Mac (intel) but it shows as failed on the Jamf cloud server logs. "Authentication failed" is the error, even though the password is accepted and is correct. Could you show me your setup? I'm happy to post mine as well...pretty much what is on the page, but something must be off. *POSSIBLE that the BS beta I'm on is the cause, but I don't think so...
Posted on 05-05-2021 05:04 PM
Hello All!
Can someone tell me if Im doing this right? I am using the script from GitHub and/or the script posted by @balaji1373 to escrow a key. Im on BS 11.3. Is there anything else Im supposed to do when deploying this other then making sure the Escrow config profiles are on the Macs, and uploading the script to JAMF and running it as Self Service policy? Thats literally all Im doing. I have no other items enabled in the policy, just customized the script and am running it as a Self Service Policy. Currently the policy runs and I get to the screen where it says "Your Mac's FileVault encryption key needs to be escrowed by .
Click the Next button below, then enter your Mac's Login password when prompted". When I click the NExt button, it responds immediatly with "You made five incorrect password attempts.
Please contact for assistance."
I never even got the prompt for the log in password. It just tried some password 5 times and failed I guess??? The only thing I can think of is on the GitHub page it says "Use both launchctl and sudo -u to run in user context". What does this mean? Is there something else Im supposed to be enabling in the policy that Im not? Thanks for the help!
Posted on 05-12-2021 09:21 AM
When i enable FileVault using following command on BigSur , getting an error "A problem occurred while trying to enable FileVault. (-69594)".
sudo fdesetup enable -user $username -password -$userpassword.
Anyone come cross this error ? Please suggest
05-25-2021 01:55 PM - edited 08-18-2021 07:40 AM
I followed this document creating the configuration profile (for escrow) and the policy (to deploy), and it works like a charm for all my Macs that never had FileVault 2 turned on yet. They are all M1 Macs operating macOS Big Sur. No script was needed. Our decision was Personal Recovery Key. Administering FileVault on macOS 10.14 or Later with Jamf Pro
The issue I'm coming across is that with a switch from Jamf Now to Jamf Pro, half of the Mac fleet already had FileVault 2 enabled in Jamf Now (I was not part of the transition). They show FV2 is enabled in Jamf Pro but they have an 'unknown' recovery key. I need to re-issue a new Personal/Individual Recovery Key for these Macs in Jamf Pro and of course escrow it. The policy to re-issue a RK alone does not work for this scenario. Wondering if I have to turn FV off on these Macs and then turn it back on. The script mentioned above in previous comments is not an option for me because it highlights at the top, "The 'redirect FileVault keys to JSS' configuration profile must already be deployed in order for this script to work correctly". The 'Configure FileVault Recovery Key Redirection' payload in Jamf Pro highlights to use this section to define settings for FileVault recovery key redirection (macOS 10.9–10.12 only) which sadly does not work for Big Sur. Any input or advice on the scenario is appreciated.
Posted on 08-17-2021 08:53 AM
Hi @Bia, the link you provided appears to be invalid.
I am also running into the issue where is doesn't prompt for a password and it errors out
Script result: [WARNING] This script has not been tested on macOS Big Sur. Use at your own risk.
No logo provided, or no logo exists at specified path. Using FileVault icon.
Alerting user johntest about incoming password prompt...
Prompting johntest for their Mac password...
Prompting johntest for their Mac password (attempt 2)...
Prompting johntest for their Mac password (attempt 3)...
Prompting johntest for their Mac password (attempt 4)...
Prompting johntest for their Mac password (attempt 5)...
[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message...
Seeing if I can find where I can change the script to fix this, I will let everyone know if I can.. But also open to suggestions.
Posted on 08-17-2021 09:04 AM
@jlombardo - try this Jamf script. I've been using it successfully.
Posted on 08-17-2021 09:10 AM
Yes I just found this! I was going to past the link here, but you have... It worked like a charm
08-18-2021 07:33 AM - edited 08-18-2021 07:41 AM
Hi @jlombardo, I believe you found resolution but sorry about that link. It looks like it has been updated Administering FileVault on macOS 10.14 or Later with Jamf Pro . I followed those steps for the endpoints that weren't encrypted yet. For the Macs that were already encrypted before being enrolled in Jamf Pro, I re-issued a personal recovery key using this script reissue_filevault_recovery_key . Both have been working great!
Posted on 08-18-2021 01:47 PM
I am putting the Configuration Profile in place that redirects the newly generated FV key to Jamf, but on 95 percent of machines I am getting this error:
A profile with a “FileVault Recovery Key Escrow” payload is already installed on the system
The payload has definitely never been installed on these systems, and this error appears on multiple OS's. Has anyone else experienced this?
Posted on 08-18-2021 02:40 PM
More than likely another payload with FV2 is in there...one good reason to keep many Profiles instead of a monolithic Profile with lots of settings (not saying you did this).
Doesn't have to be the same setup, just another profile with FV2 settings is what you're looking for.
Would bet dinner and beers on it!
Posted on 08-19-2021 06:55 AM
You win!
It was already in my FV configuration profile. I do have 1 rule per config policy, it is good practice!
Posted on 08-19-2021 07:34 AM
I know - been there! That's why I posted...trying to find these things can be a PITA 🙂
Posted on 06-16-2023 03:42 PM
Hi folks! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.
My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.
You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.
Thanks!