Closed lukeheath closed 1 year ago
@fx5 I am assigning this ticket to you to bring to estimation next week. Please let me know if you have any questions. Thanks!
@fx5 Once this is estimated (or if there isn't enough information to estimate) please assign back to me. Thanks!
@noahtalerman We'll need to see what is involved in setting up and enrolling in each MDM solution. I expect that it will take quite a bit of time. We'll need to sign up for a trial for each solution, set up a new MDM instance, enroll a Mac in it, and confirm the file location. It would be nice if setting up each option was as easy as Fleet, but probably not :)
I wonder if it's possible to get the help of the Fleet community? Do we have access to any folks that are running any of these MDM solutions that might be willing to verify the file location for us?
@fx5 I'm going to take this ticket back to do a bit more research before we try to estimate.
@noahtalerman @zhumo I spent some time researching how other MDM solutions handle FileVault keys. I've updated the issue description with relevant links and takeaways.
I feel confident that SimpleMDM and Jamf will work using the filesystem/osquery approach to retrieve the FileVault key. Both Kandji and JumpCloud escrow their keys, with no mention of storing them in the filesystem, so I expect this approach would not work for them. Because the docs answer our questions, I don't think we need to install each MDM solution to validate for ourselves.
Please let me know how would you like to proceed with FileVault encryption key retrieval:
Thanks Luke! I think we can go with #1. Compatibility with other MDMs is a bonus.
Sounds good. With that decision, I'm going to close out this ticket. I've provided an update on #8708
Note that if the user has FileVault turned on before enrolling in SimpleMDM, the file appears not to generate.
Hey @noahtalerman re: the above. Do we need to adjust the migration instructions and potentially the UI in order to accommodate this above? I think previously we had thought that the Filevault query would "just work" but I just want to. make sure we're covering the cases.
Do we need to adjust the migration instructions and potentially the UI in order to accommodate this above?
Yes.
I updated the FileVault section in the migration instructions to instruct the IT admin to ask device users to disable FileVault before migration. Here's the FileVault section in the migration instructions: https://docs.google.com/document/d/1Lzx35dYFWFPTUYWGWYXfvGCLHcy2QX1Uuy64izBPa78/edit#heading=h.n3dxpt9hc72o
we had thought that the Filevault query would "just work"
Right. I was wrong. My current (updated) understanding is that the query works if FileVault is turned on by MDM and the MDM creates the file that includes the key.
As a Fleet user, I want to be able to consistently access the FileVault encryption key on macOS hosts that are enrolled in any supported MDM solution.
We want to use this query:
To access the FileVault encryption key. We have confirmed that
/var/db/ConfigurationProfiles/fdesetup.plist
exists for hosts enrolled in SimpleMDM, and does not exist in hosts that are unenrolled in MDM. Note that if the user has FileVault turned on before enrolling in SimpleMDM, the file appears not to generate.We need to determine if this approach will work for other MDM solutions.
MDM solutions
1) SimpleMDM (confirmed works)
/var/db/ConfigurationProfiles/fdesetup.plist
2) Jamf (likely will work)
Takeaway: Jamf supports setting encryption key at specific filepath.
3) Kandji (will not work)
Takeaway: Based on the docs, Kandji does not appear to store the encryption key to the file system or provide an option to do so. Instead, they escrow the recovery keys, which are then access via the web app.
4) JumpCloud (will not work)
Takeaway: JumpCloud appears to use something called Secure Tokens that have to be generated through a separate service called "Service Account". There is no mention of saving a key to the filesystem.