-
Notifications
You must be signed in to change notification settings - Fork 11
Deployment
- Your managed Macs must:
- be enrolled in an MDM
- have macOS Mojave 10.14.4 or newer
- Note: Deployment to Macs with less than 10.14.4 may be possible by deploying this Swift 5 runtime support package, but this is not officially supported by the Escrow Buddy maintainers.
- Your MDM must:
- support FileVault recovery key escrow
- deploy a configuration profile with the FDERecoveryKeyEscrow payload
- have the ability to install packages and run shell scripts
NOTE: Escrow Buddy only works with MDM-based escrow solutions, not escrow servers like Crypt Server or Cauliflower Vest.
-
Ensure you have an escrow profile scoped to all Macs with the FDERecoveryKeyEscrow payload.
This will ensure that any newly generated FileVault recovery key, no matter how it's generated, will be escrowed to your MDM server.
-
Use your MDM to install the latest Escrow Buddy installer package on your Macs.
You can choose to install on all Macs or limit to those that need FileVault recovery keys escrowed.
-
Use your MDM to run this command (in root context) on Macs that do not have a valid FileVault recovery key escrowed:
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool trueIt is recommended to have this command run dynamically on Macs that need it using your MDM's dynamic scoping feature. See the Examples page for examples.
That's it! The next time a FileVault-authorized user logs in to the Mac, a new FileVault personal recovery key will be generated and escrowed to your MDM.
If you've deployed Escrow Buddy at your organization, consider submitting this brief survey that helps us gauge the project's community impact. Thank you!