Help

FV2 Key Escrow Problem; Asking again after a few weeks

rlowry
New Contributor III

Posted on ‎07-19-2019 09:28 AM

I used this process to rekey/ key escrow all my Macs on High Sierra and Mojave, and it seems to be working fine.

https://github.com/homebysix/jss-filevault-reissue

I am seeing some strange behavior, however. Someone told me they were asked to Rekey/Escrow multiple times. Upon checking the policy logs, I can see a few users were asked to Rekey again a few weeks after they've initially Rekeyed.

I can't seem to find any similarities between the computers that this is happening to.
Has anyone experienced this?

Its almost like the key goes bad or gets corrupted.

0 Kudos
3 REPLIES 3

Brad_G
Contributor II

Posted on ‎07-19-2019 02:14 PM

We ran into a situation where a machine would ask daily (our policy to encrypt machines default) to generate a new key.

In our case it appeared something happened to the config profile that escrows the key. We had to remove profiles from the client and re-run the jamf manage (I believe this was it) command so it would pull down a new set of config profiles from the JSS. That solved it for the few we've run into.

0 Kudos

rlowry
New Contributor III

Posted on ‎07-30-2019 12:27 PM

For completeness and other searching, here's what I've found.

I had the policy running Once Per day and changed that to Once Per computer.
It requires a little more active monitoring on your part, but keeps people from being asked to rekey multiple times.

As part of my investigation I made a smart group that detects when a rekey is needed and had it send me emails when the group membership changes. I found that computers are being "randomly" added to and removed from the smart group, and I'm not sure why but I'm also not investigating more.

Here are two examples of when emails were sent to me from computers that seemingly needed the key escrowed, and removed from that group with no user interaction.

Computer 1 Added
Thu, Jul 25, 10:50 AM
Computer 1 Removed
Thu, Jul 25, 11:21 AM

Computer 2 Added
Mon, Jul 29, 9:55 AM
Computer 2 Removed
Mon, Jul 29, 9:56 AM

0 Kudos

elliotjordan
Contributor III

Posted on ‎06-16-2023 03:53 PM

Hi there! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!

0 Kudos