When a device is FileVaulted via our native Security and Privacy MDM Configuration or via GoLive, the recovery key is automatically escrowed and available in GoLive > Security. However, if a FileVaulted device's key did not escrow, the following remediation methods can be attempted.
Notes:
- Please be sure you deploy a Security & Privacy MDM Profile with FileVault enabled prior to following any of the below steps.
- Ensure that the device has FileVault enabled and is not in deferred enablement. This can be verified by running the fdesetup status command. More information on troubleshooting FileVault enablement can be found here.
Directory:
Prompting Users to Rotate the Key
Found in Community > Scripts is a script that will prompt users to enter their SecureToken credentials and rotate the key, which will subsequently escrow into Addigy. The link for this script can be found here.
When the script is executed, users will see the following prompt:
Assuming the user has valid SecureToken credentials, the key will be escrowed once their password has been confirmed.
Escrow Buddy
Escrow Buddy is a widely used tool for help with escrowing recovery keys. For steps on how to use this option, please follow our separate article on that. Reissue FileVault Recovery Keys with Escrow Buddy
Importing Multiple Keys
If you have multiple keys that need to be imported for multiple devices, you can follow our separate article on a process that leverages a csv for this. Link: Importing FileVault Keys into Addigy (Import Script)
Addigy FileVault Manager
An alternative method is to use the Addigy FileVault Manager to escrow the key.
Requirements
- Have Addigy agent installed
- Have the ability to reset the key or have the key already
- Ability to place a file on devices. Files can be deployed via Smart Software.
Escrowing the Key
-
Obtain the key. If you don’t have the key and know the username & password of the existing system, you can use the following command: sudo fdesetup changerecovery -personal
-
Copy the key, paste it into a plist file, and format the file so it can be escrowed to Addigy (an example plist file is attached to this article, found below).
-
Save the key file and move it to /Library/Addigy/fv-escrows directory.
-
Run /Library/Addigy/filevault-manager -escrow. The key will be escrowed to Addigy.
-
The key should be available in GoLive >> Security.