Skip to content
Elliot Jordan edited this page Feb 27, 2024 · 14 revisions

Contents

Deployment

For initial deployment of Escrow Buddy, Jamf administrators can follow this template:

Profile: FileVault Escrow

This profile ensures all new FileVault keys are escrowed to Jamf at next inventory update.

  • Security & Privacy > FileVault > Escrow Personal Recovery Key:
    • Scope: All Computers
    • Encryption Method: Automatic
    • Escrow Location Description: (Your Company Name)

Smart Group: Active Macs without a valid FileVault key

This smart group dynamically collects Macs that need a new FileVault recovery key generated and escrowed.

  • Criteria:
    • [Last Check-In]   [less than x days ago]   [30]
    • [and]   [Last Enrollment]   [more than x days ago]   [1]
    • [and]   [FileVault 2 Partition Encryption State]   [is]   [Encrypted]
    • [and]   [FileVault 2 Individual Key Validation]   [is not]   [Valid]

Policy: Install Escrow Buddy on Macs without a valid FileVault key

This policy installs Escrow Buddy.

Policy: Configure Escrow Buddy to regenerate FileVault key at next login

This policy configures the preference setting that tells Escrow Buddy to regenerate a new key upon next login (repeatedly, if the Mac stays within scope).

  • Files and Processes: Execute command:
    defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
    
    (Alternatively, put this command in a script and attach the script to the policy.)
  • Scope: Active Macs without a valid FileVault key smart group (see above)
  • Frequency: Weekly
    • (Assumption: you have a daily or weekly policy that updates inventory)
  • Trigger: Check-in

Authorization database maintenance

Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.

To resolve this with Jamf, you can use the following:

Extension attribute: Escrow Buddy authdb status

This extension attribute determines whether Escrow Buddy is correctly configured in the macOS authorization database.

#!/bin/bash

DBENTRY="<string>Escrow Buddy:Invoke,privileged</string>"
if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$DBENTRY"; then
    echo "<result>Configured</result>"
else
    echo "<result>Not Configured</result>"
fi

Smart Group: Escrow Buddy installed but not in authorization database

This smart group dynamically collects Macs that need Escrow Buddy re-added to the authorization database.

  • Criteria:
    • [Last Check-In]   [less than x days ago]   [30]
    • [and]   [Last Enrollment]   [more than x days ago]   [1]
    • [and]   [Packages Installed By Installer.app/SWU]   [has]   [com.netflix.Escrow-Buddy]
    • [and]   [Escrow Buddy authdb status]   [is]   [Not Configured]

Policy: Reconfigure Escrow Buddy in authorization database

This policy reinstalls Escrow Buddy, which includes reconfiguration of the authorization database.

Removal

To uninstall Escrow Buddy using Jamf, you can use a once-per-computer policy with the uninstall script here attached.

Other Jamf tips

Recommended version

It is recommended to run Jamf Pro version 11.0 or higher due to a product issue (PI110992) affecting the accuracy of the FileVault Recovery Key Validation attribute in previous versions.

Getting Escrow Buddy version

Default Jamf inventory collection does not collect versions of non-app bundles like authorization plugins. You can use this extension attribute to retrieve the installed version of Escrow Buddy.

#!/bin/bash

BUNDLE_PATH="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
VERSION_KEY="CFBundleShortVersionString"

if [ -f "$BUNDLE_PATH/Contents/Info.plist" ]; then
    RESULT=$(defaults read "$BUNDLE_PATH/Contents/Info.plist" "$VERSION_KEY")
else
    RESULT="Not Installed"
fi

echo "<result>$RESULT</result>"

Speeding up time between key generation and escrow

This blog post provides a method of triggering jamf recon immediately after new FileVault keys are generated and ready to escrow.

Detecting escrow recidivism

Jamf Pro versions earlier than 11.0 had a product issue (PI110992) that caused Macs that previously showed a "valid" FileVault recovery key can occasionally change to "invalid" or "unknown." It is recommended to upgrade to Jamf Pro 11.0 or higher to resolve this.

For other causes of recidivism, you can gather metrics on frequency and scope by replacing the one-line defaults write command shown above with this script in the policy payload:

#!/bin/bash

DEST_PLIST="/Library/Preferences/com.netflix.Escrow-Buddy.plist"
VALUE=$(defaults read "$DEST_PLIST" GenerateNewKey 2>/dev/null)
if [[ "$VALUE" == "1" ]]; then
    echo "GenerateNewKey is already true."
    exit 0
fi

defaults write "$DEST_PLIST" GenerateNewKey -bool true
echo "Set GenerateNewKey to true."

/usr/libexec/PlistBuddy -c "Add GenerateNewKeySetWhen array" "$DEST_PLIST" 2>/dev/null
/usr/libexec/PlistBuddy -c "Add GenerateNewKeySetWhen:0 date \"$(date)\"" "$DEST_PLIST"
echo "Recorded current date: $(date)."

This will add a new GenerateNewKeySetWhen key to the Escrow Buddy prefs, which will store datestamps to an array each time a Mac receives the configuration from the Jamf policy. Macs with multiple datestamps in the array are likely candidates for investigation as to why valid keys become invalid.

Tracking FileVault escrow metrics

For tracking progress towards successful escrow of your whole fleet's FileVault keys, you can use two mutually exclusive advanced computer searches.

Advanced computer search: Valid FileVault PRK Escrowed

  • Criteria:
    • [Managed]   [is]   [Managed]
    • [and]   [Last Check-In]   [less than x days ago]   [30]
    • [and]   [Last Enrollment]   [more than x days ago]   [1]
    • [and]   [FileVault 2 Partition Encryption State]   [is]   [Encrypted]
    • [and]   [FileVault 2 Individual Key Validation]   [is]   [Valid]

Advanced computer search: No valid FileVault PRK Escrowed

  • Criteria:
    • [Managed]   [is]   [Managed]
    • [and]   [Last Check-In]   [less than x days ago]   [30]
    • [and]   [Last Enrollment]   [more than x days ago]   [1]
    • [and]   [FileVault 2 Partition Encryption State]   [is]   [Encrypted]
    • [and]   [FileVault 2 Individual Key Validation]   [is not]   [Valid]

You can use the Jamf API to record the total membership of the above groups daily during your FileVault remediation initiative, and use the resulting data to show progress over time.

Clone this wiki locally