Skip to main content
  1. Addigy
  2. Catalog
  3. Smart Software

Reissue FileVault Recovery Keys with Escrow Buddy

Updated:

When a Mac has FileVault enabled, the only way to recover data if a user forgets their password is with the FileVault recovery key. Addigy can enforce FileVault and automatically escrow the recovery key as a device fact — but there are scenarios where a key may never make it into Addigy. This happens most commonly when a device enrolls with FileVault already enabled, or when a user turns on FileVault before the MDM configuration profile (Device Setting) is installed.

In these situations, the device needs to generate a new recovery key and escrow it to Addigy. This guide walks through how to accomplish that silently — without any end user interaction — using a third-party tool called Escrow Buddy. Escrow Buddy hooks into the macOS login process and uses the password supplied at login to generate a new recovery key. As long as the Addigy FileVault Device Setting is configured to escrow recovery keys, that new key will be sent to Addigy automatically.

By the end of this guide, you will have:

  • A Security & Privacy Device Setting configured to enforce FileVault and escrow recovery keys
  • Escrow Buddy uploaded to Addigy and configured as a Smart Software item
  • A Flex Policy that automatically targets devices with FileVault enabled but no escrowed key
  • Escrow Buddy deployed to those devices

Step 1: Create the FileVault Device Setting

This profile enforces FileVault on managed devices and enables recovery key escrow to Addigy.

  1. Navigate to Catalog > Device Settings.
  2. Create a new Device Setting and select Security and Privacy.
  3. Give the Device Setting a descriptive name.
  4. Click the FileVault tab within the payload.
  5. Enable the Enable FileVault key.
  6. Check the box to Escrow Personal Recovery Key.
  7. Configure any additional FileVault settings as needed for your environment.
  8. Click Create Profile.

Note: You will need to add this profile to the Flex Policy created in Step 3. Keep it in mind as you work through this guide.

Step 2: Create the Smart Software Item

Escrow Buddy needs to be both installed and configured to generate a new recovery key. The configuration command is added directly to the Smart Software installation script so both happen in a single deployment.

  1. Download the latest Escrow Buddy package from the Escrow Buddy GitHub releases page.
  2. Navigate to Catalog > Software > Smart Software and click New.
  3. Enter a name for the item — for example, Escrow Buddy Install.
  4. Click Select File(s), upload the Escrow Buddy package, then select it for use in the Smart Software item.
  5. Click Add in the Install Command column to auto-generate the installation script for the package.
  6. Paste the following line below the auto-generated installation command to configure Escrow Buddy to generate a new recovery key on next login:
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true

  1. Expand the Removal Command section.
  2. In the Add directory path to script field, enter: /Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle
  3. Click Add to script. This will generate a removal command to clean up Escrow Buddy when it is removed from a policy.
  4. Click Save.

Step 3: Create the Flex Policy

A Flex Policy automatically assigns devices based on criteria you define. You will use it to target devices that have FileVault enabled but are missing an escrowed recovery key.

Note: Verify that Flex Policies are enabled in your account before proceeding. Navigate to Account > Integrations and confirm the Flex Policies feature is toggled on.

  1. Navigate to Policies and create a new Policy.
  2. Name it something descriptive — for example, Unknown FileVault Recovery Key.
  3. On the Policy's Overview page, click Add Filters.
  4. On the Auto-Assignment page, click Add Filter.
  5. Search for FileVault and select the FileVault Enabled fact. Set the operator to = (equals) and the toggle to true (green).
  6. Click Add Filter again, search for FileVault, and select FileVault Key Escrowed. Set the operator to = (equals) and the toggle to false (gray).
  7. Optionally, add additional filters to narrow the scope — for example, by Policy IDs or Device Model Name. By default, the filter will match devices across your entire account.
  8. Click Test Filter to confirm only the intended devices are being targeted.
  9. Select the checkbox to unassign devices that no longer match this filter set. This ensures Escrow Buddy is automatically removed once a key has been successfully escrowed.
  10. Save the auto-assignment.
  11. Before closing the popup, toggle the Enabled switch at the top to activate the filter.
  12. Add the Security & Privacy Device Setting created in Step 1 to this Flex Policy.

Step 4: Deploy Escrow Buddy

With the Smart Software item and Flex Policy both configured, assign Escrow Buddy to the policy to begin deployment.

  1. Navigate to Catalog > Software > Smart Software.
  2. Find the Escrow Buddy Smart Software item you created and click the ellipsis (…) menu.
  3. Click Assignments.
  4. Select the Flex Policy you created and click Save.

Escrow Buddy will now be deployed to any device that has FileVault enabled but is missing an escrowed recovery key. The next time a user logs in to one of those devices, Escrow Buddy will generate a new recovery key and escrow it to Addigy. Once the key is escrowed, the device will no longer match the Flex Policy filter and Escrow Buddy will be automatically removed.

Tip: To view escrowed FileVault recovery keys in Addigy, see How to View Escrowed FileVault Recovery Keys.

Related Articles

Was this article helpful?
6 out of 8 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team