Posted on 01-09-2015 11:08 AM
My JSS is on 9.6.2. Hoping to reset a few FV2 recovery keys for some Maverick/Yosemite clients.
I created a policy and targeted the devices that had a mismatched key.
Action: Issue new recovery key.
Recovery Key Type: Institutional
Disk Encryption Configuration for Institutional Key: <Company> Workstation Encryption
Require FileVault 2: At next login
I had this run on a trigger and executed it on my test box. The out put from my JSS reads the following:
Has anyone else seen this before?
Posted on 01-09-2015 11:21 AM
Is your management account enabled in FileVault 2? That's one of the requirements for Casper to be able to update the recovery key.
Posted on 01-09-2015 11:38 AM
In addition to making sure that the management account is enabled for FileVault, like @wyip mentioned, if the individual encryption key was not added with a configuration profile or an encryption configuration, and/or you don't have an institutional Filevault Key installed - then you will be unable to replace the individual key. How was FileVault initially enabled on the test box that failed?
Posted on 01-09-2015 01:02 PM
Regarding the management account: I am using user-initiated enrollment and as part of this I have the management account added. Then I have a policy that runs against a smart group that has managed computers with out FV2 enabled. That policy has the following actions:
Disk Encryption
Action: Apply Disk Encryption Configuration
Disk Encryption Configuration: <company> Workstation Encryption
Require FileVault 2: At next login
I don't see where I can specify that the management account is enabled for FileVault 2. Under User-Initiated Enrollment there doesn't appear to be an option for this. I think that also may be a concern when users start their computers. Will the management account be listed?
I do have an institutional key installed and I have successfully tested the recovery key and institutional key stored in the JSS on systems that were previously encrypted with the JSS.
I have 2 scenarios that I am testing the Issue New Recover Key feature with.
Posted on 01-09-2015 01:11 PM
I now see that under Disk Encryption Configurations that there is an option to Enable FileVault 2 User. In my situation this has been set to Current or next user. This was done to ensure the active user can sign back in to their computer using their own credentials to unlock the FV2 volume.
It makes perfect sense that the management account needs to be enabled for FV2 in order to update the recovery key. Soooooo....
Posted on 01-09-2015 01:24 PM
If you enable the management account for FV2, it will show up at the FileVault preboot screen user list, as you asked about above. This is the primary reason we won't do it here. Until/If Apple changes or adds the ability to force the FV2 boot screen to username & password fields, instead of List of users, we only enable the main user of the system, not our management account.
Posted on 01-09-2015 02:07 PM
@ mm2270 - Thank you for confirming. Glad I am not the only one with that concern.
Knowing all of this now, am I unable to re-issue new FV2 keys?
Posted on 01-09-2015 02:25 PM
@JAMF_noob When we have had to get machines that were FV enabled before Casper to have new keys, we have used JAMF's script to do it. Since the key can only be re-issued when prompted by a user who is already FV enabled, it will require the user to type in their password. You need to do two steps:
1.) Set up a computer-levelconfiguration profile with a FileVault Key Redirect payload and have it set to "Automatically redirect recovery keys to the JSS"
https://dl.dropboxusercontent.com/u/519077/screenshot_74.png
2.) Add this script to the JSS https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh and deploy it however it makes sense for you. We did it with Self Service. The user gets prompted for their password, they enter, it runs the command to re-issue a key, the key gets re-directed to the JSS.
Posted on 01-09-2015 02:43 PM
Thank you Chris. I'll give this a shot. Much appreciated.
Posted on 01-12-2015 09:57 AM
I ran this through its paces and it worked like a champ. Thank you for the tip Chris!
Posted on 06-20-2016 07:44 AM
@chriscollins Just stumbled across this. I am hoping it will solve my issue.
I got a question.
Does this script handle spaces in a password?
I'm trying it but I'm getting this in the log of the Policy:
[STEP 1 of 4]
Executing Policy ams.Re Issue Encryption Key
[STEP 2 of 4]
Running script ams.ReIssueEncryptionKey...
Script exit code: 0
Script result: Prompting help for their login password.
Issuing new recovery key
missing close-brace
while executing
"send {I"
couldn't read file "need": no such file or directory
[STEP 3 of 4]
[STEP 4 of 4]
Posted on 06-20-2016 08:11 AM
Just verified, it works if there are no spaces in the password.
Any chance your script can be updated to accommodate spaces in passwords?
Thanks in advance! And great solution!!
-p