FileVault disk encryption, the built-in encryption of macOS, is a beast to manage. Enabling FileVault can be painstaking and risky. Losing both a device's password and recovery key will result in data loss. For this reason (and others), we highly recommend you take FileVault seriously and enable it individually on your devices in GoLive using our instructions in the article Enabling FileVault through a GoLive Session.
Prior to macOS 10.13 High Sierra, FileVault supported a Mastery Recovery Key--a recovery key that could be passed to the fdesetup command during setup that would act as a universal decryption key. However, Apple has deprecated this method in High Sierra. Institutional and Master keys will no longer be supported.
This is where Addigy's filevault-manager utility comes into play. filevault-manager is a compiled command-line utility that is installed with the Addigy agent in /Library/Addigy on each device. When enabling FileVault from GoLive, the Addigy web UI sends commands to this utility, but there are many other potential methods for using this utility.
Basic Usage of FileVault-Manager
Let's take a look at the most straightforward methods for using this. Here are the three commands that the web UI is creating and sending to filevault-manager when FileVault is enabled in GoLive:
1) I don't know the password
/Library/Addigy/filevault-manager -enable -defer
2) I don't know the password, and prompt the restart
/Library/Addigy/filevault-manager -enable -defer -prompt-restart
3) I know the username and password
/Library/Addigy/filevault-manager -enable -user $username -password $password
There's a big difference between the first two methods, which use the -defer flag, and the third method, which uses the -user and -password flags. We recommend method 2) as it is transparent to the end-user and doesn't require the end-user's password in advance.
Complete Usage of FileVault-Manager
What other options are available within the utility? We can see full usage by running the /Library/Addigy/filevault-manager command without any arguments.
/Library/Addigy/filevault-manager Need to provide an option. Usage: /Library/Addigy/filevault-manager [OPTIONS] -add Adds a user to FileVault for this device. This option requires -existing-user and -existing-password flags. -defer Will defer enabling FileVault until the device is restarted. This option will obtain the password at login. -dismantle Will dismantle the automatic escrow mechanism if it is enabled. Must be used along with the -escrow flag. -enable Enabled FileVault for this device. If the defer call is not provided, the password flag must be provided. -escrow Escrows any pending FileVault key to Addigy. Will only escrow standard plist keys inside /Library/Addigy/fv-escrows. -password string The password of the user specified by -user. If the -user flag is not provided, the password for the currently logged in user must be provided. -prompt-restart Will prompt the user restart the machine after FileVault is enabled. Must be used along with the -enable flag. -status Prints the status of FileVault for this device. -user string The username of the user to enable FileVault for. If no username is provided, the currently logged in username will be used. -v Prints the current version of FileVault Manager.
We can see a few additional options here. The most important new option here is the -escrow flag which can be used to push any FileVault keys still held by the Addigy agent on the device up to your organization's Addigy account.
Custom FileVault Solutions Using FileVault-Manager
Now that we've established how the filevault-manager utility works, let's explore some options for running different iterations of this command through Addigy. Since the utility is installed with the rest of the Addigy agent, we can reference it in Predefined Commands or Custom Software.
Here's an example of a Custom Software that checks the FileVault status, then enables FileVault deferment using filevault-manager if it is disabled.
Condition script (Install on Success should be on):
fvStatus=$(/Library/Addigy/filevault-manager -status) if [ "$fvStatus" = "enabled" ]; then echo "FileVault is enabled. Skipping..." exit 1 elif [ "$fvStatus" = "disabled" ]; then echo "Enabling FileVault deferment." exit 0 else echo "Error reading FileVault status." exit 1 fi
/Library/Addigy/filevault-manager -enable -defer /Library/Addigy/macmanage/MacManage.app/Contents/MacOS/MacManage action=notify title="FileVault Enabled" description="Your administrator has enabled FileVault. Please restart to complete the process." closeLabel="Close"
This Custom Software can be safely pushed out to a large group of machines as long as the devices are being used by a single, primary user.
Escrowing FileVault Keys
Personal Recovery keys (PRKs) generated by the filevault-manager utility should automatically escrow up to your Addigy account. If the escrow fails for some reason, like network connectivity issues, here is a a simple Predefined Command that will check for pending keys and complete the escrow process.
if [ -e '/Library/Addigy/fv-escrows' ]; then /Library/Addigy/filevault-manager -escrow fi