Skip to content
Elliot Jordan edited this page Oct 18, 2024 · 8 revisions

Munki is not an MDM and cannot escrow FileVault keys. However, Munki is often used in combination with MDMs, and can serve both as a useful means to deploy Escrow Buddy and as a method for keeping the authorization database configured.

Contents

Deployment

The recommended way to import Escrow Buddy into Munki is creating and running an override for this AutoPkg recipe. This will ensure your pkginfo contains the correct uninstall method and minimum OS version for easier deployments.

Pkginfo

If you choose not to use the AutoPkg recipe linked above, you can download the latest Escrow Buddy installer from here and use munkiimport to import into your repository manually. (See this Munki wiki page for details about munkiimport.)

After creating a basic pkginfo file, you may want to consider copying these keys from the AutoPkg recipe:

Manifest

In order to install Escrow Buddy on the desired Macs, you must add Escrow Buddy as a managed_install in the manifest corresponding to that Mac. There are numerous ways to do this, but here are three examples:

Install on all Macs

To install on all Macs, make Escrow Buddy a managed_install in the site_default manifest (or equivalent manifest you use to apply software to all managed Macs). See example below.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>catalogs</key>
    <array>
        <string>stable</string>
    </array>
    <key>managed_installs</key>
    <array>
        <string>Escrow Buddy</string>
    </array>
</dict>
</plist>

Install on specific Macs (SelfServeManifest)

To install on specific Macs, have your MDM run this script on Macs that lack a valid escrowed FileVault recovery key:

#!/bin/bash
exec 2>/dev/null
MANIFEST="/Library/Managed Installs/manifests/SelfServeManifest"
if /usr/libexec/PlistBuddy -c "Print managed_installs" "$MANIFEST" | grep -q "Escrow Buddy"; then
    echo "Escrow Buddy is already a managed install."
    exit 0
fi
/usr/libexec/PlistBuddy -c "Add managed_installs array" "$MANIFEST"
/usr/libexec/PlistBuddy -c "Add managed_installs:0 string 'Escrow Buddy'" "$MANIFEST"
echo "Added Escrow Buddy as a managed install."

(Modify SelfServeManifest to your desired local manifest, if you use a custom LocalOnlyManifest setting.)

After doing this, Munki will install Escrow Buddy during its next automatic check.

Install on specific Macs (included manifest)

Another way to install Escrow Buddy on specific Macs that need it, if you're using machine-specific manifests or serial number based manifests, is to add an "included" manifest that includes Escrow Buddy as a managed install.

For example, a computer with a matching serial number would reference this file at manifests/K12LM34PQ4:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>catalogs</key>
    <array>
        <string>stable</string>
    </array>
    <key>included_manifests</key>
    <array>
        <string>groups/needs_fv_escrow</string>
    </array>
</dict>
</plist>

Then the included manifest stored at manifests/groups/needs_fv_escrow would add Escrow Buddy as a managed install:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>managed_installs</key>
    <array>
        <string>Escrow Buddy</string>
    </array>
</dict>
</plist>

(Note the lack of catalogs since this is an included manifest.)

For details on this approach to organizing manifests, see this blog post: Another opinionated guide to Munki manifests

Authorization database maintenance

Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.

To resolve this with Munki, you can use this nopkg item.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>autoremove</key>
    <false/>
    <key>catalogs</key>
    <array>
        <string>testing</string>
    </array>
    <key>category</key>
    <string>Utilities</string>
    <key>description</key>
    <string>Escrow Buddy is a tool used by MDM administrators to ensure a valid FileVault recovery key is escrowed for your Mac.</string>
    <key>developer</key>
    <string>Netflix</string>
    <key>display_name</key>
    <string>Escrow Buddy Configuration</string>
    <key>installcheck_script</key>
    <string>#!/bin/bash
exec 2&gt;/dev/null
if /usr/bin/security authorizationdb read system.login.console | grep -q '&lt;string&gt;Escrow Buddy:Invoke,privileged&lt;/string&gt;'; then
    echo "Escrow Buddy configuration OK."
    exit 1  # do not proceed with postinstall_script
else
    echo "Escrow Buddy configuration needs repair."
    exit 0  # proceed with postinstall_script
fi
</string>
    <key>installer_type</key>
    <string>nopkg</string>
    <key>minimum_os_version</key>
    <string>10.14.4</string>
    <key>name</key>
    <string>Escrow Buddy Config</string>
    <key>postinstall_script</key>
    <string>#!/bin/bash
echo "Adding Escrow Buddy to authorization database..."
"/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle/Contents/Resources/AuthDBSetup.sh"
</string>
    <key>unattended_install</key>
    <true/>
    <key>uninstallable</key>
    <false/>
    <key>update_for</key>
    <array>
        <string>Escrow Buddy</string>
    </array>
    <key>version</key>
    <string>1.0</string>
</dict>
</plist>

Removal

If you import Escrow Buddy into your Munki repo using an override of this AutoPkg recipe, the required uninstall behavior will already be in place. All that's needed is to put Escrow Buddy into the managed_uninstalls array of the appropriate manifest or SelfServeManifest, similar to the manifest methods shown above.

Other Munki tips

Conditional item

One way to simplify the scoping of Escrow Buddy to Macs that need it is to use a conditional item. See this post for a workflow that uses a conditional item to install Escrow Buddy on Macs that need it, and automatically remove Escrow Buddy from Macs that don't.

Icon

An 350px square icon has been provided here, which you can copy to your Munki repo as icons/Escrow Buddy.png for use in Managed Software Center.