![]() To help you figure out the best practices for your organization, our webinar, How to Manage FileVault with Jamf, offers expert guidance on how to access the full potential of remote management of FileVault. But because there are multiple ways to enable and manage FileVault, it can be a challenge for Mac admins to even know where to start. ![]() MacOS FileVault, Apple’s native solution for full disk encryption on Mac, preserves your remote management access to the data cryptographically secured by user passwords. While these layers of security help safeguard the devices in the hands of end users no matter where they work or study, it also means that Mac admins need cryptographic privileges to access data and manage user accounts. The newest computers with the Apple M1 chip also have additional cryptographic functions. This script should work on macOS Catalina, but please open an issue if you notice any Catalina-specific bugs.In today’s mobile work and education environments, a crucial feature of Apple devices is the built-in macOS encryption technologies which protect organizational data and user privacy. If you find additional issues with High Sierra or Mojave, I'd appreciate you opening an issue on this repo.We attempt to determine escrow success by detecting a change in that file, but it's not a guarantee of success. Instead, a local file containing the new key is written, which MDM is meant to retrieve. Previous versions of macOS generated log output that confirmed the successful escrow of the newly generated FileVault key.However, there is no guarantee that your local account password and your FileVault password are the same. We attempt to mitigate this by validating the provided password with dscl prior to using it for rotation of the FileVault key.in a spreadsheet somewhere, it will no longer work. But it means that if the key was stored separately, e.g. Since the existing FileVault key is not valid in the first place (presumably) this isn't the end of the world.On specific versions of High Sierra, entering an incorrect password during the key rotation process can result in invalidation of the existing FileVault key.This script appears to work with macOS High Sierra and Mojave, but there are a few known issues: Test a few newly-generated FileVault keys to ensure they are working as expected.Ĭompatibility High Sierra (10.13) and Mojave (10.14).Identify and resolve remaining problems manually.(Unable to connect to distribution point, no user logged in, etc.) Monitor logs and flush one-off errors.Smart Group: FileVault encryption key is invalid or unknownĭon’t forget to monitor policy logs and test FileVault recovery to verify success.reissue_filevault_recovery_key.sh (priority: After).AppleScriptCustomIcon.dmg (loads /tmp/Pinterest.icns).Here is the section of the script you'll want to customize:Ī policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group. Verify the Mac login password, with 5 chances to enter correct password.Fail silently if logo files aren’t present, or any other problems detected.Add logo to AppleScript password prompt.Use jamfHelper to announce the upcoming password prompt.Email affected employees to give them a heads up.Start by customizing the reissue_filevault_recovery_key.sh script as needed for your environment.The reissue_filevault_recovery_key.sh script runs on each affected Mac. *From Rich Trouton’s FileVault status extension attribute: Step Three: Script ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |