Overview

Keys open doors, and computers, and other things, but most importantly People need their keys! Once you encrypt a MacOS device with Apple's File Vault, the recovery key is sent to an MDM System (If enabled, it will escrow to the Addigy MDM Server in this case) it also shows up in a prompt (if enabled) in plain-text to the user. 


Unfortunately, if the device was encrypted outside of Addigy, Addigy doesn’t know that key and would never know that key. We do have a documented method on manually exporting FV keys to Addigy. However, the process includes creating a custom MDM payload for an encrypted device and then manually running Addigy's filevault-manager binary. This can be tedious to do with hundreds of devices, so we have stream lined the process utilizing a simple shell script. 


First, we will explain a simple command you can use if you don't want to work with scripts.


Changing the FileVault Key on the device and escrowing it to Addigy

Requirements:

  1. Device enrolled into Addigy MDM
  2. An Addigy MDM Configuration that has FileVault enabled on the device
  3. End-user interaction to enter their password (or equivalent)


You can run this command if the device is enrolled into Addigy MDM and has a FileVault payload assigned (This is required to know where to escrow the key ): 


sudo fdesetup changerecovery -personal




Importing FileVault Keys into Addigy Using a Script


How It Works

Given a list of mapped Serial Numbers to File Vault Recovery keys, the script will generate a unique MDM payload with the FV recovery key for a device and upload the MDM payload to Addigy.  Note the script has to be ran on the device which you are exporting the FV key for. This means that each device will need to gain access to the previously mentioned list of mapped Serial Numbers to File Vault recovery keys. 


The big question is how to formulate the list of mapped Serial Numbers to File Vault recovery keys? This is an open ended as this depends on the needs and wants of an IT admin. There are multiple versions of this script to take into account a couple of scenarios. Alternatively, you can edit the script yourself to take in the data you want to.


Scenario A: Data via Local CSV File

Scenario A covers inputting the data via a CSV file. It is imperative that the column for serial keys be named "Serial" and the column for FV Recovery keys be named "Recovery". Something similar to the following example:


As we established before the device needs to gain access to the list of of mapped Serial Numbers to File Vault Recovery keys. This would mean we would need to upload the CSV file locally to each device that requires its FV key to be exported to Addigy. This can be done in a numerous amount of ways, but a recommended way to do this is via Custom Software. Please keep in mind that the script needs to reference the location of the CSV file. A good place for this could be in /tmp directory. We have an excellent KB article that details the workflow of creating and deploying custom software.


Scenario B: Using The Script

After the CSV file is uploaded to each device, it is time to run the shell script via Devices page. This can be done by going to Devices page and creating a new custom script. You can download the attached shell script titled fvEscrowCSV.sh and copy/paste its contents in a new custom script in devices page. If you are unfamiliar with the process of creating and deploying custom scripts in the devices page, I would recommend reading our KB article on the subject.



After creating the new custom script on the devices page, you can select the required devices and run the script.

You can verify if the script is successful by clicking on the Go Live on a device then heading to Security and scrolling down to Keys under File Vault Encryption. 

You can verify a key was uploaded correctly by downloading the key to verify it is correct.




Conclusion:

This script is open ended in the ways you can feed the necessary data to it. From hardcoded Arrays to CSV files, it's up to the user to pick and choose how they will create and structure the FV Recovery Keys to Serial Number list. Attached to this article is a shell script titled "fvEscrow.sh". This script's focus is to be an open canvas. It has a single variable named "RecoveryKey" that needs to be fed the correct FV Recovery Key. After filling out this data, you can run it on the appropriate device to escrow that device's  FV key to Addigy.


If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.