Jamf Nation Community

Thanks Brad,

Quick question. I can't seem to duplicate your results. Testing with a local account I have made two groups, one as an admin to a site (full access to site), and one that allows only access to update & read computers, as well as the action of getting the file vault keys.

This does not give us the ability to see file vault keys in the JSS either under the "Full JSS".

Chris

To be honest I haven't worked with FV to answer the question of what you're looking for. But from my limited testing it appears that my userID as a site admin and custom privileges as Full JSS shows me the same options and capabilities as the Full JSS Admin does.

So I was able to find this out. In order to see the FileVault2 Encryption keys you need these permissions / settings..

JSS Objects… -- Computers – Read & Update -- Disk Encryption Configurations - Read Only
JSS Actions… -- View Disk Encryption Recover Key – Check

I have a question into JAMF as to why we need to turn on the Disk Encryption Configurations in order to see the keys. But at least to get a group that can only do this to every machine in the JSS there, are the settings. I'll have to do further testing with other groups to see if I can do what you are doing (modular permissions approach).

I would still like to be able to have a site admin see the encryption keys, but that seems more unlikely the further this day goes along.

ctangota,

I think we did the same thing as you. We created a "FV Read-only" account so that we can provide it to our techs and they can use that account to obtain the encryption key.

In the account we gave Read permissions to:
JSS Objects..
-Advanced Computer Searches (we created a search for FV enabled computers to make an easy way for them to narrow down the results/find the machine)
-Computers (Read & Update)
-Disk Encryption Configurations
JSS Actions..
-View Disk Encryption Recovery Key

I would push JAMF support to file this as a bug, and I will likely be filing my own, because why would they make a permission available at the Site level and make the "Get Recovery Keys" button viewable to Site admins/users but not let them actually use it. Not to mention the workaround to this totally breaks one of the reasons we have Sites, which is to allow Site admins to only see computer objects in their own Sites.

At the university level we are starting to create recommendations for users to encrypt their drives based on data classifications. Our University is large enough that we have many distinct IT departments with their own Sites so we had planned on having each Site create their own institutional recovery keys to use for their computers. In light of this it looks like this may be pointless since we will all have the ability to see each other's recovery keys.

JAMF is currently looking into removing the option for site admins to see the "Get Recovery Key" buttons and removing them from the permissions in the JSS.

As far as fixing it, I think we need to vote up the feature request and get on the horn with your JAMF rep so they know that this is effecting multiple people.

As of Casper 9.32 (at least, maybe earlier as well), I found the following permissions were needed to grant access to Recovery Keys. The permissions at the beginning of the thread no longer worked for me.

Access Level: Full Access
Privilege Set: Custom
JSS Objects ---> Computers (read), Disk Encryption Configurations (read), Disk Encryption Institutional Configurations (read)
JSS Actions ---> View Disk Encryption Recovery Key (checked)