Skip to main content
  1. Addigy
  2. Policies & Catalog
  3. Smart Software

Reissue FileVault Recovery Keys with Escrow Buddy

Updated:

If a computer has FileVault enabled and the user forgets their password, the only way to retrieve data is by providing the FileVault recovery key. Mobile Device Management (MDM) provides a way not only to enforce FileVault on managed computers, but also escrow the recovery key to the MDM so that the end-user doesn't need to keep track of it and admins don't have to keep up with a list of serial numbers and recovery keys.

Admins may still find themselves in a situation where the recovery key is not escrowed though, such as when a computer enrolls with FileVault already enabled or a user enables FileVault on their own before the MDM configuration profile is installed. In situations like this, Addigy provides a script in our Community section that will prompt the user for their password and generate a new recovery key, but some admins may rather no interaction from the user. For this, we can leverage a third part app called Escrow Buddy. This app will use the password supplied during a login to generate a new recovery key and if the MDM configuration profile has been installed on the computer with the escrow recovery key option enabled, the FileVault recovery key will be escrowed to Addigy.

In this guide, you will:

  • Create a configuration profile to enforce FileVault and escrow the recovery key
  • Acquire the Escrow Buddy package and upload to Addigy
  • Create the Smart Software item for Escrow Buddy
  • Create a Flex Policy
  • Deploy Escrow Buddy

Creating the MDM Configuration Profile

  • Navigate to your Catalog Profiles
  • Create a new profile and choose the Security and Privacy payload
  • Name the profile and click the FileVault tab
  • Include the Enable FileVault key
  • Check the box to include Escrow Personal Recovery Key
  • Set any other additional settings you'd like
  • Click Create Profile

Acquire Escrow Buddy and upload to Addigy

  • Get the latest Escrow Buddy package downloaded from here
  • Navigate to your Catalog page
  • Click Files
  • Upload the Escrow Buddy package

Create the Smart Software Item

Not only does Escrow Buddy need to be installed, but it also needs to be configured to generate a new FileVault recovery key. This can be done any time after the app is installed, but it makes most sense to build this into the Smart Software. In this section, you will create both the Smart Software and add the command to configure Escrow Buddy.

  • Navigate to your Catalog Software
  • Verify you are on the Smart Software tab and click New
  • Enter a name for your Smart Software, such as Escrow Buddy Install
  • Click Select File and select the checkbox next to the Escrow Buddy package and confirm your selection
  • Click Add in the Install Command column to automatically generate the installation script
  • Copy this command and paste it below the automatically generated installation command
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
  • Expand the Removal Command section
  • Enter this in the directory path: /Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle
  • Click the "Add to script" button
  • Save the Smart Software item

Create a Flex Policy

You will now create a Flex Policy to find computers that are missing a FileVault recovery key. This Policy is where you will assign the Escrow Buddy Smart Software item you created.

  • Verify Flex Policies are enabled in the Integrations page
  • Navigate to Policies and create a new Policy
  • Name it something accurate, such as Unknown FileVault Recovery Key
  • On the Overview page of your new Policy, click Add Filters at the top
  • Click Add Filter on the Auto-Assignment page
  • Search for FileVault and select the FileVault Enabled fact
  • The operator should be set to "=" (equals) and the toggle to true (green)
  • Click Add Filter again, search for FileVault and select FileVault Key Escrowed
  • Your dropdown should be set to "=" (equals) and set the toggle to false (gray)
  • Add any other criteria you may need, such as Policy IDs (by default this filter will search across all devices in the account) or Device Model Name
  • Click Test Filter to ensure only intended devices are being assigned
  • Select the check box to “unassign devices that no longer match this filter set”
  • Save the auto-assignment
  • Before you close the popup, toggle the Enabled switch at the top

Deploy Escrow Buddy

With the Smart Software item created and the Flex Policy built, it is now time to deploy Escrow Buddy.

  • Return to your Catalog Software
  • In the Smart Software tab, find the Escrow Buddy Smart Software you created and click the ellipsis
  • Click Assignments
  • Select the Flex Policy you created and Save

Conclusion

FileVault helps to secure your Mac deployment, but it is critical to have the recovery keys easily accessible and clearly associated with a computer. Addigy can escrow the recovery keys as a device fact so that you can quickly find the recovery key you need. For various reasons, it is possible for keys to not make it into Addigy. In these scenarios, the computers need to generate new a recovery key so that it can be escrowed. This guide showed one way to accomplish this by leveraging the third party tool Escrow Buddy.

Was this article helpful?
1 out of 1 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team