FV2 10.13 Key Rotation

mapurcel
Contributor III

Has anyone got FV2 Key Rotation working through policy for 10.13? I understand that the management account needs to be enabled for FV2 for this to work but that policy also fails for me..5f84cc7cf7914d9396033128056c26b0

ba47b9e9446246fc9dd657c7846f311f

5 REPLIES 5

bradtchapman
Valued Contributor II

You need to build a Configuration Profile with the Security / Privacy payload, and enable the FileVault2 key escrow there.

It's unfortunate that this wasn't broken out into a separate item, as some people might not want a few of the other settings managed.

Dials_Mavis
New Contributor II

I'm currently testing Elliot Jordan's jss-filevault-reissue script, I'll let you know how I go, maybe you can test this yourself too. https://github.com/homebysix/jss-filevault-reissue

maurits
Contributor

I have worked with elliot script and notes, and all worked fine on 10.12.6 and 10.13.2. In my test it works best to have two profiles; one scoped to ≤ 10.12.6 with Filevault redirection and another scoped to 10.13+ with FV escrow key.
I have to test on 10.13.3 , and need to test the manual profile to manage ONLY the key escrow, not the rest of the security settings on 10.13 before we put it in production

mapurcel
Contributor III

@bradtchapman forgot to mention I did initially enable escrow via Configuration Profile. I have a requirement to rotate the keys weekly so I was attempting to use the Jamf policy 'Issue New Recovery Key', but this fails, presumably because the Jamf management account does have a secure token.

if you run these two commands you can see if the management account has a secure token and if not give it one, but I'm not sure how to automate this. (once you give the management account a secure token, the Jamf policy I initially posted a screenshot of does indeed work to issue a new recovery key)

sysadminctl interactive -secureTokenStatus $username
sysadminctl interactive -adminUser "Adminusername" -adminPassword "adminpassword" -secureTokenOn "username" -password "user_password"

@Dials_Mavis @maurits I will take a look at the reissue script and let you know what I find out

elliotjordan
Contributor III

Hi! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to many of you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!