-
Notifications
You must be signed in to change notification settings - Fork 11
Jamf
For initial deployment of Escrow Buddy, Jamf administrators can follow this template:
This profile ensures all new FileVault keys are escrowed to Jamf at next inventory update.
-
Security & Privacy > FileVault > Escrow Personal Recovery Key:
- Scope: All Computers
- Encryption Method: Automatic
- Escrow Location Description: (Your Company Name)
This smart group dynamically collects Macs that need a new FileVault recovery key generated and escrowed.
-
Criteria:
-
[Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][FileVault 2 Partition Encryption State][is][Encrypted] -
[and][FileVault 2 Individual Key Validation][is not][Valid]
-
This policy installs Escrow Buddy.
- Package: Latest Escrow Buddy package downloaded from this page
- Scope: Active Macs without a valid FileVault key smart group (see above)
- Frequency: Once per computer
- Trigger: Check-in
This policy configures the preference setting that tells Escrow Buddy to regenerate a new key upon next login (repeatedly, if the Mac stays within scope).
-
Files and Processes: Execute command:
(Alternatively, put this command in a script and attach the script to the policy.)
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true - Scope: Active Macs without a valid FileVault key smart group (see above)
-
Frequency: Weekly
- (Assumption: you have a daily or weekly policy that updates inventory)
- Trigger: Check-in
Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.
To resolve this with Jamf, you can use the following:
This extension attribute determines whether Escrow Buddy is correctly configured in the macOS authorization database.
#!/bin/bash
DBENTRY="<string>Escrow Buddy:Invoke,privileged</string>"
if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$DBENTRY"; then
echo "<result>Configured</result>"
else
echo "<result>Not Configured</result>"
fiThis smart group dynamically collects Macs that need Escrow Buddy re-added to the authorization database.
-
Criteria:
-
[Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][Packages Installed By Installer.app/SWU][has][com.netflix.Escrow-Buddy] -
[and][Escrow Buddy authdb status][is][Not Configured]
-
This policy reinstalls Escrow Buddy, which includes reconfiguration of the authorization database.
- Package: Latest Escrow Buddy package downloaded from this page
- Scope: Escrow Buddy installed but not in authorization database smart group (see above)
-
Frequency: Once per week
- (Assumption: you have a daily or weekly policy that updates inventory)
- Trigger: Check-in
To uninstall Escrow Buddy using Jamf, you can use a once-per-computer policy with the uninstall script here attached.
It is recommended to run Jamf Pro version 11.0 or higher due to a product issue (PI110992) affecting the accuracy of the FileVault 2 Individual Key Validation attribute in previous versions.
Default Jamf inventory collection does not collect versions of non-app bundles like authorization plugins. You can use this extension attribute to retrieve the installed version of Escrow Buddy.
#!/bin/bash
BUNDLE_PATH="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
VERSION_KEY="CFBundleShortVersionString"
if [ -f "$BUNDLE_PATH/Contents/Info.plist" ]; then
RESULT=$(defaults read "$BUNDLE_PATH/Contents/Info.plist" "$VERSION_KEY")
else
RESULT="Not Installed"
fi
echo "<result>$RESULT</result>"This blog post provides a method of triggering jamf recon immediately after new FileVault keys are generated and ready to escrow.
Jamf Pro versions earlier than 11.0 had a product issue (PI110992) that caused Macs that previously showed a "valid" FileVault recovery key can occasionally change to "invalid" or "unknown." It is recommended to upgrade to Jamf Pro 11.0 or higher to resolve this.
For other causes of recidivism, you can gather metrics on frequency and scope by replacing the one-line defaults write command shown above with this script in the policy payload:
#!/bin/bash
DEST_PLIST="/Library/Preferences/com.netflix.Escrow-Buddy.plist"
VALUE=$(defaults read "$DEST_PLIST" GenerateNewKey 2>/dev/null)
if [[ "$VALUE" == "1" ]]; then
echo "GenerateNewKey is already true."
exit 0
fi
defaults write "$DEST_PLIST" GenerateNewKey -bool true
echo "Set GenerateNewKey to true."
/usr/libexec/PlistBuddy -c "Add GenerateNewKeySetWhen array" "$DEST_PLIST" 2>/dev/null
/usr/libexec/PlistBuddy -c "Add GenerateNewKeySetWhen:0 date \"$(date)\"" "$DEST_PLIST"
echo "Recorded current date: $(date)."This will add a new GenerateNewKeySetWhen key to the Escrow Buddy prefs, which will store datestamps to an array each time a Mac receives the configuration from the Jamf policy. Macs with multiple datestamps in the array are likely candidates for investigation as to why valid keys become invalid.
For tracking progress towards successful escrow of your whole fleet's FileVault keys, you can use two mutually exclusive advanced computer searches.
-
Criteria:
-
[Managed][is][Managed] -
[and][Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][FileVault 2 Partition Encryption State][is][Encrypted] -
[and][FileVault 2 Individual Key Validation][is][Valid]
-
-
Criteria:
-
[Managed][is][Managed] -
[and][Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][FileVault 2 Partition Encryption State][is][Encrypted] -
[and][FileVault 2 Individual Key Validation][is not][Valid]
-
You can use the Jamf API to record the total membership of the above groups daily during your FileVault remediation initiative, and use the resulting data to show progress over time.