Help

FV2 Recovery Key Upload

alexjdale
Valued Contributor III

Posted on ‎10-26-2012 09:01 AM

We currently run a "once per day" inventory, so enabling FileVault 2 leads to a gap of at least one day where we do not have the Recovery Key escrowed in the JSS. I need to mitigate this risk.

Does anyone have an idea of how I can make a one-time inventory run after the reboot which kicks off FV2 encryption and creates the Recovery Key?

Thanks,
Alex

0 Kudos
Reply
4 REPLIES 4

jarednichols
Honored Contributor

Posted on ‎10-26-2012 09:54 AM

You could create a self service item that simply runs a recon. After it's rebooted and encrypting, just manually run that. It can be useful for other reasons to have this available to users.

0 Kudos
Reply

alexjdale
Valued Contributor III

Posted on ‎10-26-2012 01:37 PM

Yeah, unfortunately with our culture here, it's expected that users don't have to do anything and it all just happens automatically for them.

Empowerment without any responsibility is a dangerous thing. :-)

The only thing I can think of is a scheduled task that checks for the FV2 plist that is created after encryption which forces a recon and self-deletes when it's done. I can't simply tie it to run once after the FV2 policy executes since users can defer entering their password indefinitely.

0 Kudos
Reply

rtrouton
Release Candidate Programs Tester

Posted on ‎10-26-2012 02:05 PM

Since this would be a one time thing, you could also install a script and launchdaemon as part of the encryption policy. The launchdaemon would trigger the script on first boot. The script would run a recon and then delete itself and the launchdaemon:

#!/bin/sh

# Run inventory with jamf binary

jamf recon

# Remove setup LaunchDaemon item

srm /Library/LaunchDaemons/com.company.fv2_recon.plist

# Make script self-destruct

srm $0
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.company.fv2_recon</string>
    <key>ProgramArguments</key>
    <array>
        <string>/path/to/fv2_recon.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>
0 Kudos
Reply

daworley
Contributor II

Posted on ‎10-26-2012 02:11 PM

You could set up differing recon policies based on the status of FV2...

I'd set up an extension attribute based around the existence of the FV2, a smart group or two around that extension attribute. Recon policies could be every 15 until the FV2 plist exists, and then weekly if they are encrypted.

0 Kudos
Reply