When FileVault is enabled via Addigy's native Security & Privacy MDM configuration (Device Setting) or via GoLive, the recovery key is automatically escrowed and available under GoLive > Security. If a key did not escrow as expected, use one of the methods below to remediate it.
Before proceeding: Ensure a Security & Privacy Device Setting with FileVault enabled is deployed to the device, and confirm that FileVault is fully enabled (not in deferred enablement) by running
fdesetup status. For help interpreting the output, see FAQ: Troubleshooting FileVault.
Method 1: Escrow Buddy
Escrow Buddy is a widely used open-source tool for escrowing FileVault recovery keys. It is the most hands-off approach of the available methods, though it does require a small amount of end-user interaction at next login. For full setup instructions, see: Reissue FileVault Recovery Keys with Escrow Buddy.
Method 2: Prompt Users to Rotate the Key
A community script is available under Community > Scripts that prompts the user to enter their SecureToken credentials and rotate the recovery key, which will then be automatically escrowed into Addigy. The script can be found here.
When the script runs, the user will see a prompt asking them to enter their password to continue rotating the FileVault key. Once the user confirms their credentials, the new key will be escrowed to Addigy.
Note: The user must have valid SecureToken credentials for this method to succeed.
Method 3: Import Multiple Keys via CSV
If you need to escrow keys for multiple devices at once, you can use an import script that accepts a CSV file of recovery keys. For instructions, see: Importing Known FileVault Keys into Addigy (Import Script).
Method 4: Addigy FileVault Manager
The Addigy FileVault Manager can be used to manually escrow a key by placing a formatted plist file on the device. Use this method when other approaches are not available or applicable.
Requirements:
- Addigy Agent installed on the device
- The existing recovery key, or the ability to reset it
- Ability to place a file on the device (files can be deployed via Smart Software)
Steps:
- Obtain the recovery key. If you don't have it but know the username and password of an existing user on the device, you can generate a new one by running:
sudo fdesetup changerecovery -personal
- Copy the key and paste it into a plist file formatted for Addigy escrow. An example plist file is attached to this article for reference (example.plist).
- Save the plist file and move it to
/Library/Addigy/fv-escrows/ - Run the following command to escrow the key:
/Library/Addigy/filevault-manager -escrow
- Verify the key is now available under GoLive > Security.