If a computer has FileVault enabled and the user forgets their password, the only way to retrieve data is by providing the FileVault recovery key. Mobile Device Management (MDM) provides a way not only to enforce FileVault on managed computers but also escrow the recovery key to the MDM so that the end-user doesn't need to keep track of it and admins don't have to keep up with a list of serial numbers and recovery keys.
Admins may still find themselves in a situation where the recovery key is not escrowed, such as when a computer enrolls with FileVault already enabled or a user enables FileVault on their own before the MDM configuration profile is installed. Still, some admins may prefer to require no interaction from the user. For this, we can leverage a third-party app called Escrow Buddy. This app will use the password supplied during a login to generate a new recovery key. If the MDM configuration profile has been installed on the computer with the escrow recovery key option enabled, the FileVault recovery key will be escrowed to Addigy.
In this guide, you will:
- Create a configuration profile to enforce FileVault and escrow the recovery key
- Acquire the Escrow Buddy package and upload it to Addigy
- Create the Smart Software item for Escrow Buddy
- Create a Flex Policy
- Deploy Escrow Buddy
Creating the MDM Configuration Profile
- Navigate to your Catalog Profiles
- Create a new profile and choose the Security and Privacy payload
- Name the profile and click the FileVault tab
- Include the Enable FileVault key
- Check the box to include Escrow Personal Recovery Key
- Set any other additional settings you'd like
- Click Create Profile
- Note: You will need to add this MDM Profile to the Flex Policy that you create further down in this article.
Acquire Escrow Buddy and upload to Addigy
- Get the latest Escrow Buddy package downloaded from here
- Navigate to your Catalog page
- Click Files
- Upload the Escrow Buddy package
Create the Smart Software Item
Not only does Escrow Buddy need to be installed, but it also needs to be configured to generate a new FileVault recovery key. This can be done any time after the app is installed, but building this into the Smart Software makes the most sense. In this section, you will create the Smart Software and add the command to configure Escrow Buddy.
- Navigate to your Catalog Software
- Verify you are on the Smart Software tab and click New
- Enter a name for your Smart Software, such as Escrow Buddy Install
- Click Select File, select the checkbox next to the Escrow Buddy package, and confirm your selection
- Click Add in the Install Command column to generate the installation script automatically
- Copy this command and paste it below the automatically generated installation command
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
- Expand the Removal Command section
- Enter this in the directory path: /Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle
- Click the "Add to script" button
- Save the Smart Software item
Create a Flex Policy
You will now create a Flex Policy to find computers missing a FileVault recovery key. This Policy is where you will assign the Escrow Buddy Smart Software item you created.
- Verify Flex Policies are enabled on the Integrations page
- Navigate to Policies and create a new Policy
- Name it something accurate, such as Unknown FileVault Recovery Key
- On the Overview page of your new Policy, click Add Filters at the top
- Click Add Filter on the Auto-Assignment page
- Search for FileVault and select the FileVault Enabled fact
- The operator should be set to "=" (equals) and the toggle to true (green)
- Click Add Filter again, search for FileVault, and select FileVault Key Escrowed
- Your dropdown should be set to "=" (equals) and set the toggle to false (gray)
- Add any other criteria you may need, such as Policy IDs (by default, this filter will search across all devices in the account) or Device Model Name
- Click Test Filter to ensure only intended devices are being assigned
- Select the check box to “unassign devices that no longer match this filter set”
- Save the auto-assignment
- Before you close the popup, toggle the Enabled switch at the top
- Note: If you have not done so yet add the MDM Profile that you created earlier in the article to this Flex Policy.
Deploy Escrow Buddy
With the Smart Software item created and the Flex Policy built, it is time to deploy Escrow Buddy.
- Return to your Catalog Software
- In the Smart Software tab, find the Escrow Buddy Smart Software you created and click the ellipsis
- Click Assignments
- Select the Flex Policy you created and Save
Conclusion
FileVault helps to secure your Mac deployment, but it is critical to have the recovery keys easily accessible and associated with a computer. Addigy can escrow the recovery keys as a device fact so that you can quickly find the recovery key you need. For various reasons, it is possible for keys not to make it into Addigy. In these scenarios, the computers need to generate a new recovery key to be escrowed. This guide showed one way to accomplish this by leveraging the third-party tool Escrow Buddy.