Overview
Keys open doors, and computers, and other things, but most importantly People need their keys! Once you encrypt a MacOS device with Apple's FileVault, the recovery key is sent to an MDM System (If enabled, it will escrow to the Addigy MDM Server in this case) it also shows up in a prompt (if enabled) in plain-text to the user.
Unfortunately, if the device was encrypted outside of Addigy, Addigy doesn’t know that key and would never know that key. We do have a documented method on manually exporting FileVault keys to Addigy. However, the process includes creating a custom MDM payload for an encrypted device and then manually running Addigy's filevault-manager binary. This can be tedious to do with hundreds of devices, so we have stream lined the process utilizing a simple shell script.
First, we will explain a simple command you can use if you don't want to work with scripts.
Changing the FileVault Key on the device and escrowing it to Addigy
Requirements:
- Device enrolled into Addigy MDM
- An Addigy MDM Configuration that has FileVault enabled on the device
- End-user interaction to enter their password (or equivalent)
You can run this command if the device is enrolled into Addigy MDM and has a FileVault payload assigned (This is required to know where to escrow the key ):
sudo fdesetup changerecovery -personal
Importing FileVault Keys into Addigy Using a Script
How It Works
Given a list of mapped Serial Numbers to FileVault Recovery keys, the script will generate a unique MDM payload with the FileVault recovery key for a device and upload the MDM payload to Addigy. Note: The script has to be ran on the device which you are exporting the FileVault key for. This means that each device will need to gain access to the previously mentioned list of mapped Serial Numbers to FileVault recovery keys.
The big question is how to formulate the list of mapped Serial Numbers to FileVault recovery keys? This is an open ended as this depends on the needs and wants of an IT admin. There are multiple versions of this script to take into account a couple of scenarios. Alternatively, you can edit the script yourself to take in the data you want to.
Step 1: Data via Local CSV File
This step covers inputting the data via a CSV file. It is imperative that the column for serial keys be named "Serial" and the column for FileVault Recovery keys be named "Recovery". Something similar to the following example:
As we established before the device needs to gain access to the list of of mapped Serial Numbers to FileVault Recovery keys. This would mean we would need to upload the CSV file locally to each device that requires its FileVault key to be exported to Addigy. This can be done in a numerous amount of ways, but a recommended way to do this is via Custom Software. Please keep in mind that the script needs to reference the location of the CSV file. A good place for this could be in /tmp directory. We have an excellent KB article that details the workflow of creating and deploying custom software.
Step 2: Using The Script
After the CSV file is uploaded to each device, it is time to run the shell script via Devices page. This can be done by going to Devices page and creating a new custom script. You can download the attached shell script titled fvEscrowCSV.sh and copy/paste its contents in a new custom script in devices page. If you are unfamiliar with the process of creating and deploying custom scripts in the devices page, I would recommend reading our KB article on the subject.
After creating the new custom script on the devices page, you can select the required devices and run the script.
You can verify if the script is successful by clicking on the Go Live on a device then heading to Security and scrolling down to Keys under FileVault Encryption.
You can verify a key was uploaded correctly by downloading the key to verify it is correct.
Conclusion:
This script is open ended in the ways you can feed the necessary data to it. From hardcoded Arrays to CSV files, it's up to the user to pick and choose how they will create and structure the FileVault Recovery Keys to Serial Number list. Attached to this article is a shell script titled "fvEscrow.sh". This script's focus is to be an open canvas. It has a single variable named "RecoveryKey" that needs to be fed the correct FileVault Recovery Key. After filling out this data, you can run it on the appropriate device to escrow that device's FileVault key to Addigy.