Posted on 03-06-2015 02:45 PM
Putting it out to Jamf nation because the feedback is always spot on.
We have been looking at FV2 for a replacement to our current encryption.
Convincing aside to management and other "nay sayers", screen shots of the JSS and showing them the information they needed really sold it.
.... but there is always a prickly thorne. We can view, and poll our FV2 information. See the recovery code and admire it and use it, and go "look it works". Then along comes rules, legal requirements, etc. etc. etc.
So, in a nutshell, how do we preserve the machine name and recovery key forever.........
When someone leaves our enterprise we archive... Hard drive goes to a vault, and granted send the key with it seems to me like the easiest solution.......
But right now we use PGP, which keeps a nice nice database around well... pretty much forever.
If we use FV2, and reimage the box with a new hard drive for use, that over writes the JSS record and thus the FV2 record from the previous hard drive.
Export to CS? then use a routine to pull current information nightly to a database?
Checked into VB scripts, and other forms of translation to attempt to export this information directly in to AD and attach it to the bitlocker Tab in our ad record....
Just wondering if another else may have to deal with organization specifics for FV2 along these lines. And what was done to overcome it.
Appreciated and have a great weekend!
Posted on 03-06-2015 06:20 PM
Are you using an institutional key? Wouldn't that solve the dilemma?
Posted on 03-07-2015 01:45 AM
You could look at the API to see if the key can be read out: https://your.jss.com:8443/api. If its anywhere it will probably be in the computers inventory record.
If it is you could script the export from the JSS and into AD using DSCL.
If thats a bit daunting it could just be a manual process for someone to copy from the web interface and paste into the AD record (or somewhere else).
Posted on 03-07-2015 01:54 AM
I think the FV2 keys are encrypted for security in the JSS.
(Paging @Banks so he can chime in).
But if you're re-imaging the Mac.. Then the OLD FV2 key is useless right? Unless you're swapping HD's between re-imaging...
Posted on 03-07-2015 05:27 AM
One way to handle this is to set up your Macs to have both a personal recovery key and an institutional recovery key. Reserve the use of the institutional key for when you archive the hard drive.
That way, you don't have to track the personal recovery key for archival purposes, you just need to track which drives used the institutional key in question.
Posted on 03-07-2015 02:12 PM
Rich has got the right of it. If you need the individual key, make it part of the decommissioning process to retrieve the key and put it in a separate database linked to the drive asset item along with the make/model/serial number.
As for getting at the individual key via some automated method. Currently the key is inaccessible via the API. I would love it to be there, but there is (obviously) concern around this due to security and auditing so I understand why it is not (yet) accessible. Accessing the SQL database directly will get you an encrypted version of the key. While I'm sure there is some way of decrypting it, I haven't dug in that deep to figure it out.