Remote Decryption?

ScottOram
New Contributor II

Hey all,

I was asked if Jamf Pro could remotely unencrypt a device... is this possible?

I did search but did not get many pertinent results.

Thanks,

Scott

1 ACCEPTED SOLUTION

signetmac
Contributor

You can remotely unencrypt a device over ssh if you know a FV enabled user's password, using:

sudo fdesetup disable

If you don't know an enabled user's password, you can enable your admin account using the computer's recovery key:

sudo fdesetup add -usertoadd [your admin account username]

The above command will prompt you for either the computer's recovery key or an enabled user's password. You would need ssh access to the computer. If you don't have that, you can use a JAMF Pro policy to enable it for a user. If you wanted to do this on several computers in some automated fashion, you could write an expect script to supply information at the prompts but you would still have to supply the unique recovery key for each.

I wrote a CasperJSS script for eliciting the FV Recovery Key for a particular computer from the JAMF Pro server, but I imagine other people have better solutions.

View solution in original post

5 REPLIES 5

rderewianko
Valued Contributor II

No, you cannot push a command out through jamf to decrypt a device.

macOS you can provide someone the Personal Recovery Key but they'll have to enter it in.. The other alternative is if that machine's live and booted you can remote into it and disable encryption that way.

signetmac
Contributor

You can remotely unencrypt a device over ssh if you know a FV enabled user's password, using:

sudo fdesetup disable

If you don't know an enabled user's password, you can enable your admin account using the computer's recovery key:

sudo fdesetup add -usertoadd [your admin account username]

The above command will prompt you for either the computer's recovery key or an enabled user's password. You would need ssh access to the computer. If you don't have that, you can use a JAMF Pro policy to enable it for a user. If you wanted to do this on several computers in some automated fashion, you could write an expect script to supply information at the prompts but you would still have to supply the unique recovery key for each.

I wrote a CasperJSS script for eliciting the FV Recovery Key for a particular computer from the JAMF Pro server, but I imagine other people have better solutions.

ScottOram
New Contributor II

Thanks @signetmac , So this would be more of either a live "remote in" scenario, or have a new key pushed out to the user that they can enter themselves. Am I understanding it right?

rderewianko
Valued Contributor II

So:

sudo fdesetup disable

will require a admin account that also is a filevault enabled user to disable or an admin account with the personal recovery key stored in the JSS.

Pushing a new key out will just re-add it to the jss that you'd still have to provide to the user

Reissuing there's some great automated tools todo so.
https://github.com/homebysix/jss-filevault-reissue

signetmac
Contributor

Hi @ScottOram. Sorry so late to reply. Hopefully you've experimented and figured this out by now, but just in case...

You have the end users cooperation? Tell them to open Terminal, put in the disable command I gave, and enter their password when prompted for a password.

You don't have the end user's cooperation? You would need to use SSH to get onto the computer remotely. SSH access may already be set up. If not, you craft a policy to scope to that particular computer to grant you SSH access with a admin account with a known password. I'll consider accomplishing this beyond the scope of my response. If you need more detail, go ahead and ask. If this computer is off network, there are ways to do this too.

Once you have ssh access, you get onto the computer through ssh, run the disable command IF your admin account is an enabled user for FileVault. If your admin account is NOT enabled, and you have the computer's Recovery Key in escrow on your JSS, just use the Recovery Key to enable your admin user with the 'usertoadd' command I gave previously, and follow up by running the disable command.