search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 417 forks source link

Research: Is there a common location MDM solutions keep the FileVault encryption key? #8746

Closed lukeheath closed 1 year ago

lukeheath commented 1 year ago

As a Fleet user, I want to be able to consistently access the FileVault encryption key on macOS hosts that are enrolled in any supported MDM solution.

We want to use this query: 

SELECT * FROM file_lines WHERE path='/var/db/ConfigurationProfiles/fdesetup.plist';

To access the FileVault encryption key. We have confirmed that /var/db/ConfigurationProfiles/fdesetup.plist exists for hosts enrolled in SimpleMDM, and does not exist in hosts that are unenrolled in MDM. Note that if the user has FileVault turned on before enrolling in SimpleMDM, the file appears not to generate.

We need to determine if this approach will work for other MDM solutions.

MDM solutions

1) SimpleMDM (confirmed works)

2) Jamf (likely will work)

"You can use Jamf Connect to enable FileVault on computers for administrator and standard local accounts. You can also store the user's personal recovery key at a specified file path."

Takeaway: Jamf supports setting encryption key at specific filepath.

3) Kandji (will not work)

"Escrow Recovery Keys to Kandji: Selecting this option will automatically escrow the FileVault Recovery key. Note that if you enable this option, the Kandji Agent will automatically prompt the end-user on any device that already has a Recovery Key generated to regenerate its Recovery Key."

Takeaway: Based on the docs, Kandji does not appear to store the encryption key to the file system or provide an option to do so. Instead, they escrow the recovery keys, which are then access via the web app.

4) JumpCloud (will not work)

"The advent of Apple File Systems (APFS) in macOS 10.13 changed the way Apple manages FileVault encryption keys. To secure and provide access to encryption keys required for FileVault decryption, Apple introduced Secure Tokens. Ensure your users have Secure Tokens by following the instructions in Installing and Using the Service Account for macOS."

"JumpCloud leverages a service account to ensure that JumpCloud-managed users on macOS devices can unlock FileVault encryption. Before JumpCloud can provide FileVault access to JumpCloud-managed users, the JumpCloud Service Account must be created to provide its crucial function of granting new users secure tokens."

Takeaway: JumpCloud appears to use something called Secure Tokens that have to be generated through a separate service called "Service Account". There is no mention of saving a key to the filesystem.

lukeheath commented 1 year ago

@fx5 I am assigning this ticket to you to bring to estimation next week. Please let me know if you have any questions. Thanks!

lukeheath commented 1 year ago

@fx5 Once this is estimated (or if there isn't enough information to estimate) please assign back to me. Thanks!

lukeheath commented 1 year ago

@noahtalerman We'll need to see what is involved in setting up and enrolling in each MDM solution. I expect that it will take quite a bit of time. We'll need to sign up for a trial for each solution, set up a new MDM instance, enroll a Mac in it, and confirm the file location. It would be nice if setting up each option was as easy as Fleet, but probably not :)

I wonder if it's possible to get the help of the Fleet community? Do we have access to any folks that are running any of these MDM solutions that might be willing to verify the file location for us?

lukeheath commented 1 year ago

@fx5 I'm going to take this ticket back to do a bit more research before we try to estimate.

lukeheath commented 1 year ago

@noahtalerman @zhumo I spent some time researching how other MDM solutions handle FileVault keys. I've updated the issue description with relevant links and takeaways.

I feel confident that SimpleMDM and Jamf will work using the filesystem/osquery approach to retrieve the FileVault key. Both Kandji and JumpCloud escrow their keys, with no mention of storing them in the filesystem, so I expect this approach would not work for them. Because the docs answer our questions, I don't think we need to install each MDM solution to validate for ourselves.

Please let me know how would you like to proceed with FileVault encryption key retrieval:

  1. Use osquery and support SimpleMDM and Jamf.
  2. Bypass osquery and escrow the key through our MDM.
zhumo commented 1 year ago

Thanks Luke! I think we can go with #1. Compatibility with other MDMs is a bonus.

lukeheath commented 1 year ago

Sounds good. With that decision, I'm going to close out this ticket. I've provided an update on #8708

zhumo commented 1 year ago

Note that if the user has FileVault turned on before enrolling in SimpleMDM, the file appears not to generate.

Hey @noahtalerman re: the above. Do we need to adjust the migration instructions and potentially the UI in order to accommodate this above? I think previously we had thought that the Filevault query would "just work" but I just want to. make sure we're covering the cases.

noahtalerman commented 1 year ago

Do we need to adjust the migration instructions and potentially the UI in order to accommodate this above?

Yes.

I updated the FileVault section in the migration instructions to instruct the IT admin to ask device users to disable FileVault before migration. Here's the FileVault section in the migration instructions: https://docs.google.com/document/d/1Lzx35dYFWFPTUYWGWYXfvGCLHcy2QX1Uuy64izBPa78/edit#heading=h.n3dxpt9hc72o

we had thought that the Filevault query would "just work"

Right. I was wrong. My current (updated) understanding is that the query works if FileVault is turned on by MDM and the MDM creates the file that includes the key.