What is your process for re-deploying a Mac that has to be De-Crypted (FV2)?

NealIV
Contributor

Hello all,

I have ran into a situation where if a Mac that has been encrypted using FV2 and the user leaves the business and it needs to be re-purposed the Apple_Boot Recovery HD partition is missing and I have to use the "Recovery Partition Creator 3.8" to re-build the partition then re-image the Mac.

Am I doing something wrong when de-crypting that makes the recovery partition to disappear or is this normal?

6 REPLIES 6

alexjdale
Valued Contributor III

Per security policy, we have to wipe every drive before re-issuing. We simply erase and re-partition the drive before running Casper Imaging, destroying the FV keys. Imaging replaces the recovery partition.

cgiordano
Contributor

@NealIV We do the same as @alexjdale. Here's our process using an external hard drive (thunderbolt) with OS X & the Casper Suite installed on it:

1) Boot to external hdd and launch Disk Utility
2) Use DU to wipe the drive since Casper Imaging can't wipe encrypted drives (or previously counted...haven't tested recently)
3) Use Casper Imaging to re-image machine

This process won't work if you or your team aren't the ones kicking off FV2 or adding the JSS Management Account to the encryption via policy. If you don't know a password that will unlock the drive then you basically will have no access to wipe it.

Good luck. Hope this info helps!

mm2270
Legendary Contributor III

Just chiming in, same here as @alexjdale Redeployment means wipe clean and re-image. Although we use DeployStudio, we have a script that runs as a first step that removes any CoreStorage volumes from the Mac's internal HD and reformats it back to a single partition, prepped for the imaging setup. I see no reason to decrypt prior to re-imaging, unless you planned on somehow using the Mac 'as is' and not re-imaging it, but I don't really see how that would make much sense.

@cgiordano

This process won't work if you or your team aren't the ones kicking off FV2 or adding the JSS Management Account to the encryption via policy. If you don't know a password that will unlock the drive then you basically will have no access to wipe it.

This is not true. While Apple makes it hard to unlock an encrypted disk without knowing a FileVault enabled account password or the Recovery Key, neither is needed to reformat an encrypted volume, The trick is to use the diskutil deleteLVG <lvgUUID> command. Look it up in the man page for diskutil. It destroys a CoreStorage Logical Volume simply by knowing the Logical Volume group's UUID. That's what our script does that we use in DeployStudio.
Once that's done, its available to be reformatted however you want in either Disk Utility.app or via script.

cgiordano
Contributor

@mm2270 Thanks for the tip. I'll keep that command in mind the next time we encounter that.

NealIV
Contributor

@mm2270 and @cgiordano So what about the recovery partition do you add it back using the "Recovery Partition Creator 3.8"?

cgiordano
Contributor

@NealIV We use Casper Composer to capture the OS image and it now captures the Recovery Partition, if present. You can restore the recovery partition using your application, Recovery Partition Creator 3.8 or if you were to re-install OS X from a Recovery Partition on an external hard drive then it will restore that partition automatically.