How to Reissue a Recovery Key for Filevault...13. Make sure all of your variables were entered in...

How to Reissue a Recovery Key for Filevault

REV20180601


2

REV20180701

This guide was written using macOS High Sierra 10.13.4 and Jamf Pro version 10.4.1. To follow along with this guide, you will need the following items:

• Jamf Pro Server version 10.x• Elliot Jordan - Homebysix: jss-filevault-reissue script

To download the script, follow these instructions:1. Go here: https://github.com/homebysix/jss-filevault-reissue/blob/master/reissue_filevault_recovery_key.sh2. In the top right, right click the Raw button.3. Select: Download linked file as... (NOTE - this is what it says in safari, browser may vary)

Special thanks to Elliot Jordan for all his contributions to the Apple community.

We created sample files that you can edit to speed up the processes used in this guide for editing the jss-filevault-reissue script and creating the folders used to store the branded icons.Get the files here: https://www.hcsonline.com/lessons/FV_Re-Issu_Files.zip

Section 1 Create a Smart Group 1. Click the Computers button.

2. Select Smart Computer Groups from the left navigation bar.

3. Click the New button.


3

REV20180701

4. Make sure you’re on the Computer Group tab, then enter the following: Display Name: FileVault Encryption Key is Invalid or Unknown

5. Click the Criteria tab, then click the Add button.

6. Click the Show Advanced Criteria button.

7. Scroll down and locate the FileVault 2 Individual Key Validation and select Choose.

8. Configure the following:a. Operator: is notb. Value - Click the Ellipse and choose Valid.

a b


4

REV20180701

9. Click the Add button.

10. Scroll down and locate the Last Check-in and select Choose.

11. Configure the following for Last Check-in:a. Set the And/Or section to: andb. Set the Operator to: less than x days agoc. Set the Value to: 30

12. Click the Add button.

13. Click the Show Advanced Criteria button.

14. Scroll down and locate the FileVault 2 Status and select Choose.

a

b c


5

REV20180701

15. Configure the following for FileVault 2 Status:a. Set the And/Or section to: andb. Set the Operator to: isc. Set the Value to: Click the Ellipse and select: All partitions Encryptedd. Click the Save button

a

d

b c

17. Click the Done button.

18. The Smart Computer Group is now created and ready for use.


6

REV20180701

Section 2 Creating a Configuration Profile 1. If not already logged in, Log in to the Jamf Pro Server.

2. Click the Computers button.

3. Select Configuration Profiles from the left navigation bar.



7

REV20180701

5. In the General section, Configure the following:a. Name: Re-Direct FileVault keys to Jamf Prob. Category: Security and Restrictions (This assumes you have that category created)c. Distribution Method: Install Automaticallyd. Level: Computer Level

a

b

c

d

6-A. This step is for Mac Computers running 10.13 or greater. Select Security & Privacy from the left navigation bar. Then click Configure on the right.

6-B. This step is for Mac Computers running 10.12 or earlier. Select FileVault Recovery Key Redirection from the left navigation bar. Then click Configure on the right.


8

REV20180701

7-A. This step is for Mac Computers running 10.13 or greater. Select the FileVault tab then select Enable Escrow Personal Recovery Key. In the Escrow Location Description section, Enter Jamf Pro Server. Click Save.

NOTE: The General, Firewall, and Privacy tabs all have items selected inside them. Make sure this tabs have what you need enabled or disabled as they will be applied with this profile.

7-B. This step is for Mac Computers running 10.12 or earlier. In the Recovery Key Redirection Dropdown menu, select Automatically redirect recovery keys to the Jamf Pro Server. Click Save.


9

REV20180701

8. In the Targets tab, make sure Specific Computers is selected then click the add button.

9. Select Computer Groups

10. Select FileVault Encryption Key is Invalid or Unknown, click Add.

11. Scroll up and click Done in the right hand corner.


10

REV20180701

12. Click Save.


14. You will see the newly created profile and it will be scoped to any Mac Computer that meets the criteria of the smart group created in section 1 of this guide.


11

REV20180701

Section 4 Configuring the Homebysix Re-Issue Script1. Open the reissue_filevault_recovery_key.sh. Go to the VARIABLES section. This section is what we need to

customize to our needs.

2. Set the path to your logo. It should live in /Library/Application Support/your-folder/your-logo.


12

REV20180701

3. Create a DMG installer using Jamf Composer. We assume you know how to use Jamf Composer.

The logo file MUST be installed in the path that you specified in the LOGO path of the script. I.E. /Library/Application Support/HCS/HCS.png.

The picture below should help you in getting things setup correctly in Jamf Composer. Make sure to select Build as DMG when creating the installer.

4. The rest of the VARIABLES section can be customized to your needs.

5. This section of the script is optional but recommended. The next step will show you how to get the PROFILE_IDENTIFIER key.


13

REV20180701

6. If not already logged in, Log in to the Jamf Pro Server.

7. Click the Computers button.

8. Select Configuration Profiles from the left navigation bar.

9. Go to Re-Direct FileFault keys to Jamf Pro then click on the number in the first column, in the picture below, that is number 1, you may see a different value. NOTE: If you don’t see any value in the list, go to a Mac Computer that is in need of a ReKey and run the sudo jamf recon command so it updates the Jamf Pro Server with the value.

10. Click on any Mac Computer in the list.


14

REV20180701

11. Select the Inventory tab then scroll down to the Profiles section. Copy the identifier for Re-Direct FileVault keys to Jamf Pro.

12. Go back to the reissue_filevault_recovery_key.sh and past in the Profile Identifier key that you copied in step 11. Be sure to select the proper version for 10.12 or 10.13

13. Make sure all of your variables were entered in correctly then save the script.

14. Launch Jamf Admin then upload the reissue_filevault_recovery_key.sh and the DMG or with the logos to the Jamf Pro server. Be sure to categorize the script and DMG in Jamf Admin.


15

REV20180701

Section 5 Creating a Policy1. Click the Computers button.

2. Select Policies from the left navigation bar.



16

REV20180701

4. Click on the Options tab, then select the General tab on the left. Configure the following settings:a. Display Name: Reissue Invalid or missing FileVault recovery keyb. Category: Security and Restrictions. (This assumes you have that category created)c. Trigger: Recurring Check-ind. Execution Frequency: Once per Computer

5. Select Packages from the left navigation bar, then click the Configure button on the right.

a

d

b

c


17

REV20180701

6. Select the DMG of your logo, then click the Add button.

8. Select Scripts from the left navigation bar, then click the Configure button on the right.

9. Select the reissue_filevault_recovery_key.sh then select Add.

7. Configure the following:a. Action: Installb. Distribution Point: Each computer’s default distribution point

a

b


18

REV20180701

10. Configure the following: Priority: After

11. Select Maintenance from the left navigation bar, then click the Configure button on the right.

12. Make sure Update Inventory is selected.


19

REV20180701

13. On the Targets tab, Configure the following:a. Target Computers: Specific Computersb. Click the Add button.

14. Do the following:a. Select the Computer Groups tabb. Locate FileVault Encryption Key is Invalid or Unknown section and click Addc. Click Done.

a

a

b

b

c

15. Click the Save button.


17. The Policy is now created and ready for use.


20

REV20180701

Section 5 Testing from a Client1. Go to a client Mac that already has FileVault enabled but was not escrowed by your Jamf Pro Server. Make

sure this Mac is enrolled in your Jamf Pro server. Once enrolled, it will show up in the Smart Computer Group that we created earlier.

2. The next time this client Mac checks into the Jamf Pro server, the currently logged in user will be greeted with the following message:

Read the message, then click the Next button.

3. The user will be promoted to enter in their login password. Click OK when done.

4. The user will be greeted with the following message. Click OK when done.


21

REV20180701

5. Let’s check our work to make sure the FileVault key was escrowed to the Jamf Pro Server:a. Click the Computers button.b. In the Search section, Make sure Computers is selected in the drop down menu.c. Enter the computer you want to search for in the Search field.d. Click the Search button.

6. Once the computer is found, click on it’s name to view it’s computer record.

8. You will see the newly escrowed FileVault Key. This completes this how to guide.

7. Click on the Management tab, then select FileVault 2 from the left menu. Click the Get FileVault 2 Recovery Key button on the right.

a d

bc

How to Reissue a Recovery Key for Filevault...13. Make sure all of your variables were entered in...

Documents

Transcript of How to Reissue a Recovery Key for Filevault...13. Make sure all of your variables were entered in...