Skip to main content
Question

re-imaging / re-deploying encrypted Macs

  • September 7, 2017
  • 5 replies
  • 24 views
O
Forum|alt.badge.img+14

Fellas..

We're about ready to enforce FileVault on a pilot group of about 100 users. While encrypting is the easy part, I wanted to know how you handle the decryption of Macs for when they are turned in for reimaging or redeployment.

We are utilizing both individual and institutional recovery keys, and we've read through Rich Trouton's documentation more than once. Howerver we were curious how others were handling such a task, as there seems to be no decryption method that management thinks is "fast enough"...especially if the previous user is no longer with the company.

They think going through the hassle of resetting local account passwords via Recovery Partition and / or decrypting using institutional key is too tedious and labor intensive.

Oh.. and the majority of our Macs are bound to AD.

Ideas?

    5 replies

    R
    Forum|alt.badge.img+9
    • rwinfie
    • Contributor
    • September 7, 2017

    If you dont need the data , why decrypt ? Just wipe the drive and reimage.

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • September 7, 2017

    If "reimaging" in your case means old style nuke and pave, there's no need to decrypt them (unless you needed some data off them first) We use scripts that simply blow away the partitions and essentially flatten the volume, ready for a base image + recovery partition to be laid down on it as the first step. All remnants of FileVault are gone this way, so there's no need to know a Recovery key or bother with decryption.

    If you use some other kind of imaging or provisioning process, then you might need to mess with removing encryption first. I'm guessing that may not be the case though.

    O
    Forum|alt.badge.img+14
    • ooshnoo
    • Author
    • Honored Contributor
    • September 7, 2017

    hmmm... I guess maybe I missed the boat on this. So you don't need to decrypt in order to netboot and wipe the drive?

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • September 7, 2017

    Nope. While we don't "NetBoot" our Macs, we do boot them from a bootable drive to image, so essentially the same thing. The thing about FileVault is that it's about protecting the data on disk from being accessed by unauthorized people. It doesn't protect the data from being wiped. If the drive is erased by way of the CoreStorage partition being destroyed, the data is no longer accessible.

    O
    Forum|alt.badge.img+14
    • ooshnoo
    • Author
    • Honored Contributor
    • September 7, 2017

    @mm2270 cool thanks. will give it a shot.

    Terms & ConditionsCookie settingsAccessibility statement