Posted on 03-21-2018 09:31 AM
Sanity check question: can we automatically send multiple passwords (of a FV-enabled account) at a Mac in order to reissue a key?
Details:
If we understand correctly, we can automatically change to a new personal/individual Filevault recovery key by importing a plist into the following command:
sudo fdesetup changerecovery -personal -inputplist < /path/to/filename.plist
For the plist, we would need to store the password of an existing FileVault 2-enabled user (or an existing personal recovery key) in the Password key in the plist (shown below):
/usr/bin/fdesetup changerecovery -personal -inputplist &> /dev/null <<XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Password</key>
<string>$4</string>
</dict>
</plist>
XML
Here's the tricky part: since the password for our FV-enabled local admin account has been rotated a few times via JSS MDM (though we know the passwords), has anybody tried (or what are your thoughts on this concept) sending multiple passwords at a Mac that has the FV-enabled local admin account?
Is ~seems~ that the JSS could deploy a script to Mac--that has the FV-enabled local admin account--and provide different plists with different passwords.
Appropriate scoping for script:
- mac is completely encrypted
- has invalid or unknown individual recovery key
- local admin account exists and is FV-enabled
- mac needs to have appropriate configuration profile installed for sending keys to JSS:
- for 10.12 and older: FileVault Recovery Key Direction
- for 10.13 and newer: Security > FileVault > Enable Escrow Personal Recovery Key
So the script would essentially have multiple plists--like above--each with a different password of a FV-enabled account.
Is this crazy?
Posted on 03-21-2018 09:35 AM
If not clear, the successful requirement above would be to escow a recovery key in the JSS.