Recovery Key Redirection

powellbc
Contributor II

Can anyone explain precisely what this profile management setting does precisely? I understand that if you enforce FileVault encryption though profile manager you need to use this, but will it redirect a recovery key of an already encrypted machine to the JSS?

1 ACCEPTED SOLUTION

SamF
Contributor II
Contributor II

Yes, if the JSS has an existing valid individual recovery key OR if the management account in the JSS is an enabled FV2 user on the client machine. One of those conditions must be true and the client must be running 10.9+.

View solution in original post

14 REPLIES 14

SamF
Contributor II
Contributor II

This profile will not redirect the recovery key for a machine that has already been encrypted. The profile must be in place at the time the key is generated during the encryption process.

powellbc
Contributor II

Thanks for the info, now a followup:

If you utilize the Issue New Recovery Key option via policy, will that regenerate the key on an already encrypted machine?

SamF
Contributor II
Contributor II

Yes, if the JSS has an existing valid individual recovery key OR if the management account in the JSS is an enabled FV2 user on the client machine. One of those conditions must be true and the client must be running 10.9+.

powellbc
Contributor II

Great, thanks for the info Sam.

powellbc
Contributor II

@Sam.Fortuna][/url

Sorry to bump this again. I was hoping to enable the management account for FV2 for our user self-encrypted machines, but then I noticed this requirement: To enable the management account for FileVault 2, the computer must have OS X v10.9 and have an existing, valid individual recovery key that matches the key stored in the JSS.

Is there a workflow to take user-encrypted machines and get their existing keys or a newly generated key into the JSS?

SamF
Contributor II
Contributor II

There is not a JSS supported workflow that will allow for the functionality that you seek. However, there have been others who were looking to implement a similar solution, so we created a custom script which should accomplish the task. The workflow requires that we install a FV2 recovery key redirection configuration profile to the client machine. Then run this script: https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh

The script will prompt for the currently logged in, FV2 enabled user's password and use that to reissue a new key. With the FV2 redirection payload in place, this should then be posted into the JSS record for the machine. I hope that helps out!

powellbc
Contributor II

Sam, I have had some issues with script—2 different unexpected results. Would it be ok to work offline with you with this? We have an existing support contract if that is permissible.

Thanks for your help!

ocla__09
Contributor

@Sam.Fortuna

Your script has been working as intended, however I have one machine who gets the following error repeatedly when trying to run the script:

Script result: Prompting xxxxxxx for their login password.
Issuing new recovery key
invalid command name "
"
while executing
" "

The key is not getting regenerated and uploaded to the JSS, and this is the only machine so far I am seeing this on. Do you have any insight as to what the issue could be?

Thanks in advance

SamF
Contributor II
Contributor II

@Oclassen - I haven't seen this error before, but I'm guessing that the user probably has a special character in their password that isn't being passed through correctly. A quotation or backslash in the password might cause this type of behavior.

Hope that helps out!

ocla__09
Contributor

Thanks @Sam.Fortuna - I assume if that is indeed the case, the only workaround is for them to change their password? Or is there perchance an edit that can be made in the script?

SamF
Contributor II
Contributor II

There's most likely a change that could be made to the script to account for special characters. It'd be easier to determine what the special character was and then implement a fix than attempting to account for all possible characters that might be problematic.

Since this is a one off situation, it may be less work to have the user temporarily change their password. At that point we can run the script and have the user revert their password back.

bentoms
Release Candidate Programs Tester

Hi guys,

It can be done, you'll need "quoted form of" when retrieving the password. Basically I've had to use that multiple times in AutoCasperNBI.

Something like:

quoted form of text returned of result

bentoms
Release Candidate Programs Tester
The quoted form property gives the string in a form that is safe from further interpretation by the shell, no matter what its contents are.

From: https://developer.apple.com/library/mac/technotes/tn2065/_index.html

ocla__09
Contributor

Great, thanks. I will try that out.