Help

re-imaging / re-deploying encrypted Macs

ooshnoo
Valued Contributor

Posted on ‎09-07-2017 10:24 AM

Fellas..

We're about ready to enforce FileVault on a pilot group of about 100 users. While encrypting is the easy part, I wanted to know how you handle the decryption of Macs for when they are turned in for reimaging or redeployment.

We are utilizing both individual and institutional recovery keys, and we've read through Rich Trouton's documentation more than once. Howerver we were curious how others were handling such a task, as there seems to be no decryption method that management thinks is "fast enough"...especially if the previous user is no longer with the company.

They think going through the hassle of resetting local account passwords via Recovery Partition and / or decrypting using institutional key is too tedious and labor intensive.

Oh.. and the majority of our Macs are bound to AD.

Ideas?

Labels:
0 Kudos
Reply
5 REPLIES 5

rwinfie
Contributor

Posted on ‎09-07-2017 10:50 AM

If you dont need the data , why decrypt ? Just wipe the drive and reimage.

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎09-07-2017 10:54 AM

If "reimaging" in your case means old style nuke and pave, there's no need to decrypt them (unless you needed some data off them first) We use scripts that simply blow away the partitions and essentially flatten the volume, ready for a base image + recovery partition to be laid down on it as the first step. All remnants of FileVault are gone this way, so there's no need to know a Recovery key or bother with decryption.

If you use some other kind of imaging or provisioning process, then you might need to mess with removing encryption first. I'm guessing that may not be the case though.

0 Kudos
Reply

ooshnoo
Valued Contributor

Posted on ‎09-07-2017 11:20 AM

hmmm... I guess maybe I missed the boat on this. So you don't need to decrypt in order to netboot and wipe the drive?

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎09-07-2017 11:31 AM

Nope. While we don't "NetBoot" our Macs, we do boot them from a bootable drive to image, so essentially the same thing. The thing about FileVault is that it's about protecting the data on disk from being accessed by unauthorized people. It doesn't protect the data from being wiped. If the drive is erased by way of the CoreStorage partition being destroyed, the data is no longer accessible.

0 Kudos
Reply

ooshnoo
Valued Contributor

Posted on ‎09-07-2017 11:34 AM

@mm2270 cool thanks. will give it a shot.

0 Kudos
Reply