Intentionally disable FileVault key escrow?

chmp1
New Contributor II

After a quick search was not fruitful, is there a way to disable the escrowing of filevault keys while still being able leverage casper to enable FV? My institution has another method in place for escrowing individual keys that we must follow and is currently outside our influence. The security concerns of the keys being escrowed in the jss DB may be unwarranted but again for the foreseeable future must not be kept there without exception.

2 REPLIES 2

bryan_hengels
New Contributor II
New Contributor II

If you have MDM enabled for your computers, you can create a Configuration Profile that will enable FileVault using the Security & Privacy payload. The individual keys won't be captured by the JSS unless you also send down the FileVault Recovery Key Redirection payload. The option under Security & Privacy is in a sub-tab called FileVault. There's a checkbox named Require FileVault 2 that will expand with further options once checked.

bentoms
Release Candidate Programs Tester

@chmp1 the escrowing doesn't happen by default, it's a profile payload called something like "FileVault Key Redirection".

If you have that payload being deployed, stop deploying it.. if you don't have that payload being deployed, then the other system should pick up the keys.