Help

Smart Policy for Missing Encryption Keys

Go to solution
easyedc
Valued Contributor II

Posted on ‎04-19-2017 07:09 AM

Working through a migration performed on JSS servers a while back. I'd set up a policy to reissue the FileVault 2 key following a few people's work (mostly @rtrouton's FV2 stuff) by deploying a .plist, importing, reissuing, yada yada yada. It's failed on a group that has some bad user identities (wrong admin service account that has local FV2 rights, etc). I don't mind manually touching each one to do 

fdesetup add -usertoadd JAMFSERVICEACCOUNT

but I'm having a hard time identifying the right search criteria to separate5b59efd397a54768bdbe42733d3d464a
484d71c6965f43b1bd8b02f22a55b29e out the 2 configurations to identify the FV2 not configured. I've tried a number of the search criteria around FV2 and none of my attempts seem to properly identify the group which shows as

"Not Configured"

Please help me. I'm stuck in a forest and I desperately can't find the trees.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
easyedc
Valued Contributor II

Posted on ‎04-27-2017 07:40 AM

So I think the solution that works for me is 

FileVault 2 Recovery Key Type

with selection

is not

and criteria

Individual and Institutional

which seems to successfully capture whether the key is missing for me. 46490596f6954f00a3247725d00b7858

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
StoneMagnet
Contributor III

Posted on ‎04-19-2017 07:32 AM

@easyedc Have you tried a Smart Group with a FileVault 2 Status criteria with a value No Partitions Encrypted? That should at least let you find machines that didn't have FV2 enabled although that may not be equivalent to configured.

0 Kudos

Go to solution
easyedc
Valued Contributor II

Posted on ‎04-19-2017 08:30 AM

@StoneMagnet the issue with that is that they already are FV2 encrypted. But there isn't a current key on file, which this policy regenerates that key.

0 Kudos

Go to solution
StoneMagnet
Contributor III

Posted on ‎04-19-2017 08:42 AM

@easyedc I'd think a smart group like (Criteria FileVault 2 Institutional Key is Not Present) AND (Criteria FileVault 2 Status is All Partitions Encrypted or Criteria FileVault 2 Status is Boot Partitions Encrypted) would be the machines you're looking for.

0 Kudos

Go to solution
easyedc
Valued Contributor II

Posted on ‎04-27-2017 07:40 AM

So I think the solution that works for me is 

FileVault 2 Recovery Key Type

with selection

is not

and criteria

Individual and Institutional

which seems to successfully capture whether the key is missing for me. 46490596f6954f00a3247725d00b7858

0 Kudos