Posted on 12-12-2017 10:54 AM
Hey all,
I was asked if Jamf Pro could remotely unencrypt a device... is this possible?
I did search but did not get many pertinent results.
Thanks,
Scott
Solved! Go to Solution.
Posted on 12-13-2017 10:15 AM
You can remotely unencrypt a device over ssh if you know a FV enabled user's password, using:
sudo fdesetup disable
If you don't know an enabled user's password, you can enable your admin account using the computer's recovery key:
sudo fdesetup add -usertoadd [your admin account username]
The above command will prompt you for either the computer's recovery key or an enabled user's password. You would need ssh access to the computer. If you don't have that, you can use a JAMF Pro policy to enable it for a user. If you wanted to do this on several computers in some automated fashion, you could write an expect script to supply information at the prompts but you would still have to supply the unique recovery key for each.
I wrote a CasperJSS script for eliciting the FV Recovery Key for a particular computer from the JAMF Pro server, but I imagine other people have better solutions.
Posted on 12-12-2017 12:09 PM
No, you cannot push a command out through jamf to decrypt a device.
macOS you can provide someone the Personal Recovery Key but they'll have to enter it in.. The other alternative is if that machine's live and booted you can remote into it and disable encryption that way.
Posted on 12-13-2017 10:15 AM
You can remotely unencrypt a device over ssh if you know a FV enabled user's password, using:
sudo fdesetup disable
If you don't know an enabled user's password, you can enable your admin account using the computer's recovery key:
sudo fdesetup add -usertoadd [your admin account username]
The above command will prompt you for either the computer's recovery key or an enabled user's password. You would need ssh access to the computer. If you don't have that, you can use a JAMF Pro policy to enable it for a user. If you wanted to do this on several computers in some automated fashion, you could write an expect script to supply information at the prompts but you would still have to supply the unique recovery key for each.
I wrote a CasperJSS script for eliciting the FV Recovery Key for a particular computer from the JAMF Pro server, but I imagine other people have better solutions.
Posted on 12-14-2017 12:23 PM
Thanks @signetmac , So this would be more of either a live "remote in" scenario, or have a new key pushed out to the user that they can enter themselves. Am I understanding it right?
Posted on 12-14-2017 01:16 PM
So:
sudo fdesetup disable
will require a admin account that also is a filevault enabled user to disable or an admin account with the personal recovery key stored in the JSS.
Pushing a new key out will just re-add it to the jss that you'd still have to provide to the user
Reissuing there's some great automated tools todo so.
https://github.com/homebysix/jss-filevault-reissue
Posted on 12-19-2017 02:53 PM
Hi @ScottOram. Sorry so late to reply. Hopefully you've experimented and figured this out by now, but just in case...
You have the end users cooperation? Tell them to open Terminal, put in the disable command I gave, and enter their password when prompted for a password.
You don't have the end user's cooperation? You would need to use SSH to get onto the computer remotely. SSH access may already be set up. If not, you craft a policy to scope to that particular computer to grant you SSH access with a admin account with a known password. I'll consider accomplishing this beyond the scope of my response. If you need more detail, go ahead and ask. If this computer is off network, there are ways to do this too.
Once you have ssh access, you get onto the computer through ssh, run the disable command IF your admin account is an enabled user for FileVault. If your admin account is NOT enabled, and you have the computer's Recovery Key in escrow on your JSS, just use the Recovery Key to enable your admin user with the 'usertoadd' command I gave previously, and follow up by running the disable command.