sanity check: send multiple plists at a Mac using fdesetup changerecovery -personal -inputplist

Contributor III

Sanity check question: can we automatically send multiple passwords (of a FV-enabled account) at a Mac in order to reissue a key?

If we understand correctly, we can automatically change to a new personal/individual Filevault recovery key by importing a plist into the following command:
sudo fdesetup changerecovery -personal -inputplist < /path/to/filename.plist

For the plist, we would need to store the password of an existing FileVault 2-enabled user (or an existing personal recovery key) in the Password key in the plist (shown below):

                /usr/bin/fdesetup changerecovery -personal -inputplist &> /dev/null <<XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Here's the tricky part: since the password for our FV-enabled local admin account has been rotated a few times via JSS MDM (though we know the passwords), has anybody tried (or what are your thoughts on this concept) sending multiple passwords at a Mac that has the FV-enabled local admin account?

Is ~seems~ that the JSS could deploy a script to Mac--that has the FV-enabled local admin account--and provide different plists with different passwords.

Appropriate scoping for script:
- mac is completely encrypted
- has invalid or unknown individual recovery key
- local admin account exists and is FV-enabled
- mac needs to have appropriate configuration profile installed for sending keys to JSS:
- for 10.12 and older: FileVault Recovery Key Direction
- for 10.13 and newer: Security > FileVault > Enable Escrow Personal Recovery Key

So the script would essentially have multiple plists--like above--each with a different password of a FV-enabled account.

Is this crazy?


Contributor III

If not clear, the successful requirement above would be to escow a recovery key in the JSS.