-
Notifications
You must be signed in to change notification settings - Fork 13
Jamf
For initial deployment of Escrow Buddy, Jamf administrators can follow this template:
This profile ensures all new FileVault keys are escrowed to Jamf at next inventory update.
-
Security & Privacy > FileVault > Escrow Personal Recovery Key:
- Scope: All Computers
- Encryption Method: Automatic
- Escrow Location Description: (Your Company Name)
This smart group dynamically collects Macs that need a new FileVault recovery key generated and escrowed.
NOTE: See the Relevant product issues section for important information about the criteria below.
-
Criteria:
-
[Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][FileVault 2 Partition Encryption State][is][Encrypted] -
[and][FileVault 2 Individual Key Validation][is not][Valid]
-
This policy installs Escrow Buddy.
- Package: Latest Escrow Buddy package downloaded from this page
- Scope: Active Macs without a valid FileVault key smart group (see above)
- Frequency: Once per computer
- Trigger: Check-in
This policy configures the preference setting that tells Escrow Buddy to regenerate a new key upon next login (repeatedly, if the Mac stays within scope).
-
Files and Processes: Execute command:
(Alternatively, put this command in a script and attach the script to the policy.)
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true - Scope: Active Macs without a valid FileVault key smart group (see above)
-
Frequency: Weekly
- (Assumption: you have a daily or weekly policy that updates inventory)
- Trigger: Check-in
Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.
To resolve this with Jamf, you can use the following:
This extension attribute determines whether Escrow Buddy is correctly configured in the macOS authorization database.
#!/bin/bash
DBENTRY="<string>Escrow Buddy:Invoke,privileged</string>"
if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$DBENTRY"; then
echo "<result>Configured</result>"
else
echo "<result>Not Configured</result>"
fiThis smart group dynamically collects Macs that need Escrow Buddy re-added to the authorization database.
-
Criteria:
-
[Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][Packages Installed By Installer.app/SWU][has][com.netflix.Escrow-Buddy] -
[and][Escrow Buddy authdb status][is][Not Configured]
-
This policy reinstalls Escrow Buddy, which includes reconfiguration of the authorization database.
- Package: Latest Escrow Buddy package downloaded from this page
- Scope: Escrow Buddy installed but not in authorization database smart group (see above)
-
Frequency: Once per week
- (Assumption: you have a daily or weekly policy that updates inventory)
- Trigger: Check-in
To uninstall Escrow Buddy using Jamf, you can use a once-per-computer policy with the uninstall script here attached.
- PI110992: FileVault Recovery Key switches from "Valid" to "Unknown" after an inventory update
edit -:as of 10/17/23 for jamf 11.0.0 release notes PI110992 has be fixed
Be aware that this may result in Macs with valid escrowed keys being incorrectly regenerated and re-escrowed, if you use the FileVault 2 Partition Encryption State criterion in smart groups.
Default Jamf inventory collection does not collect versions of non-app bundles like authorization plugins. You can use this extension attribute to retrieve the installed version of Escrow Buddy.
#!/bin/bash
BUNDLE_PATH="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
VERSION_KEY="CFBundleShortVersionString"
if [ -f "$BUNDLE_PATH/Contents/Info.plist" ]; then
RESULT=$(defaults read "$BUNDLE_PATH/Contents/Info.plist" "$VERSION_KEY")
else
RESULT="Not Installed"
fi
echo "<result>$RESULT</result>"This blog post provides a method of triggering jamf recon immediately after new FileVault keys are generated and ready to escrow.
Jamf users have reported that Macs that previously showed a "valid" FileVault recovery key can occasionally change to "invalid" or "unknown." This may be because of the product issue detailed here. If you set up the Configure Escrow Buddy to Regenerate FileVault key at next login policy as shown above, with frequency set to Weekly, Jamf will take care of communicating to Escrow Buddy that a new key generation is needed at next login.
If additional metrics are desired, you can replace the one-line defaults write command shown above with this script in the policy payload:
#!/bin/bash
DEST_PLIST="/Library/Preferences/com.netflix.Escrow-Buddy.plist"
VALUE=$(defaults read "$DEST_PLIST" GenerateNewKey 2>/dev/null)
if [[ "$VALUE" == "1" ]]; then
echo "GenerateNewKey is already true."
exit 0
fi
defaults write "$DEST_PLIST" GenerateNewKey -bool true
echo "Set GenerateNewKey to true."
/usr/libexec/PlistBuddy -c "Add GenerateNewKeySetWhen array" "$DEST_PLIST" 2>/dev/null
/usr/libexec/PlistBuddy -c "Add GenerateNewKeySetWhen:0 date \"$(date)\"" "$DEST_PLIST"
echo "Recorded current date: $(date)."This will add a new GenerateNewKeySetWhen key to the Escrow Buddy prefs, which will store datestamps to an array each time a Mac receives the configuration from the Jamf policy. Macs with multiple datestamps in the array are likely candidates for investigation as to why valid keys become invalid.
For tracking progress towards successful escrow of your whole fleet's FileVault keys, you can use two mutually exclusive advanced computer searches.
NOTE: See the Relevant product issues section for important information about the criteria below.
-
Criteria:
-
[Managed][is][Managed] -
[and][Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][FileVault 2 Partition Encryption State][is][Encrypted] -
[and][FileVault 2 Individual Key Validation][is][Valid]
-
NOTE: See the Relevant product issues section for important information about the criteria below.
-
Criteria:
-
[Managed][is][Managed] -
[and][Last Check-In][less than x days ago][30] -
[and][Last Enrollment][more than x days ago][1] -
[and][FileVault 2 Partition Encryption State][is][Encrypted] -
[and][FileVault 2 Individual Key Validation][is not][Valid]
-
You can use the Jamf API to record the total membership of the above groups daily during your FileVault remediation initiative, and use the resulting data to show progress over time.