Forcing Logout to kick off FileVault 2 in year 2024

ivan_scekic
New Contributor

Hey everyone,

We're currently in the POC phase with Jamf, and there's something that's really bugging me. We tried Kandji before, and their FileVault solution is way better than Jamf's. With Kandji, you just set up the profile, assign it to a Blueprint, and if FileVault is already enabled, it prompts the user to enter their password, rotates the key, and escrows it to their server. If FileVault isn't enabled, it forces the user to log off to enable FileVault and escrow the key. But with Jamf... it's not as simple as creating the config profile.

For machines that already have FileVault enabled, we had to set up EscrowBuddy. The instructions were clear, but now we have 10 devices enrolled and 8 of them haven't escrowed their FileVault2 key to the Jamf server. This could go on forever because there doesn't seem to be an integrated solution (I couldn't find one in the options or this forum) that forces the user to log off.

Does anyone have experience with this or know how to tackle the logoff issue? Thanks!

2 REPLIES 2

AJPinto
Honored Contributor III

Each MDM is very different and puts custom focus and tooling's into different areas. Jamf has a metric crap ton of automation in application deployment and patching as well as offering many security services that Kandji does not offer.

 

You can script out everything Kandji is doing simply enough. 

  • FileVault is already enabled, it prompts the user to enter their password - Escrow Buddy can do this as you already mentioned.
  • If FileVault isn't enabled, it forces the user to log off to enable FileVault and escrow the key. - You can have a policy log users out on unencrypted devices and have your FV configuration setup to enable FV at login.

 

Honestly, talk to your Jamf sales rep and ask for an solutions expert to help you solve this blocker. If Jamf wants your money they will help you out.

 

However, there is one very important thing you are not considering. When migrating between MDM's, you want to wipe and load which will resolve all of your FV problems. Unless you want to hands on touch every single device, release it from Kandji, enroll it into Jamf, then use the profiles command to change the management state from Managed to Supervised and enter credentials to accept the profile update (cannot be done through CLI) so you can actually manage the device, you will wipe and load. Many organizations have no tolerance for unmanaged devices in users' hands, even if only for a few minutes.

howie_isaacks
Valued Contributor II

Kandji has some nice features but it's nowhere near as capable as Jamf Pro. I actually lost a job once because of Kandji so my opinion of Kandji can't be said in a professional setting like Jamf Nation. I had some Macs that for some reason did not have a recovery key escrowed in their inventory. I created a script to attach to a policy that displays a Swift Dialog window to users to click a button to re-issue the recovery key so it can escrowed when the Mac runs its next inventory. The process that I wrote requires a reboot, so users have no choice but to perform the reboot. My solution could be modified to enforce getting FileVault turned on too. If the user decides to generate the key later, a "status" file gets created that makes the Mac fall into scope for a reminder policy. I'm going to re-write this soon to use a PLIST to track deferrals and create an aggressive mode in Swift Dialog to nag users to get this done.

#!/bin/zsh

###########################
# Generates a new FileVault recovery key. Prompts the user to reboot to complete the process.
# Generating the new key is performed by Escrow Buddy.
# https://github.com/macadmins/escrow-buddy
# Escrow Buddy is installed using Jamf policy custom trigger "install-escrowbuddy"
#
# 1/30/24 | Howie Isaacks
# 2/16/24 Added step in "generateKey" function to remove the FVKeyRequired status file.
###########################

# Variables
dialogBinary="/usr/local/bin/dialog"
jamfBinary="/usr/local/jamf/bin/jamf"
title="Generate new FileVault Recovery key"
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
currentUserID=$(id -u "$currentUser")
statusFile="/usr/local/Status/FVKeyRequired"

# Dialog settings
dialog_cmd=(
	-p
	-o
	--title "$title"
	--titlefont "size=18"
	--message "Please click **Reboot** to generate a new FileVault recovery key for your Mac. A new key will be generated when your Mac reboots. Before clicking Reboot, save your work and quit your apps. If you choose not to generate a new recovery key now, you will be reminded later to generate the new recovery key."
	--messagealignment "left"
	--messageposition "top"
	--height '300'
	--width '650'
	--icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"
	--iconsize "150"
	--button1text "Reboot"
	--button2text "Generate new key later"
)

#### Functions ####

# Check if Swift Dialog is installed
function dialogCheck (){
	if ! [ "$dialogBinary" ]; then
		echo "Swift Dialog is not installed. Installing..."
		$jamfBinary policy -event install-swiftdialog --forceNoRecon
	elif [ "$dialogBinary" ]; then
		echo "Swift Dialog is installed. Continuing..."
	fi
}

# Define user to run commands as
function runAsUser(){
    launchctl asuser "$currentUserID" sudo -u "$currentUser" "$@"
}

# Reboot as current logged in user.
function rebootAsUser(){ sleep 5 && runAsUser osascript -e 'tell app "System Events" to restart'
}

# Generate new FileVault Recovery key
function generateKey(){
if [ -e "$statusFile" ]; then
	echo "Status file found. Removing it so the user won't get nagged again...'"
	rm "$statusFile"
else
	echo "Status file not found. Continuing..."
fi
echo "Installing Escrow Buddy and running the command to generate a new recovery key"
$jamfBinary policy -event install-escrowbuddy --forceNoRecon
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
}

# Create status file so that the user will be reminded later to generate a new recovery key
function remindFVKey() {
	# Check if Status folder is present
	echo "Checking for Status folder"
	if ! [ -d "/usr/local/Status" ]; then
		echo "Status folder not found... Creating it"
		mkdir "/usr/local/Status"
	#Creating status file
		echo "Creating status file"
		touch "/usr/local/Status/FVKeyRequired"
	elif [ -d "/usr/local/Status" ]; then
		echo "Status folder found... Creating status file"
		touch "/usr/local/Status/FVKeyRequired"
	fi
}

#### Run the logic ####

# Check if Swift Dialog is installed
dialogCheck
# Launch Swift Dialog
echo "Launching Dialog"
"$dialogBinary" "${dialog_cmd[@]}"
dialogResults=$?
echo "Dialog exited with the following code: "$dialogResults""
# Generate new FileVault recovery key if user clicked Reboot
if [ "$dialogResults" = "0" ]; then
echo "Generating new recovery key"
generateKey
echo "Rebooting..."
rebootAsUser
elif [ "$dialogResults" = "2" ]; then
	echo "User clicked generate new key later"
	remindFVKey
else
	echo "Dialog exited with an unexpected code"
fi

$jamfBinary recon

exit 0