search

homebysix / jss-filevault-reissue

A framework for re-escrowing missing or invalid FileVault keys with Jamf Pro.
Apache License 2.0
186 stars 56 forks source link

Reissue key on High Sierra #17

Open pleegor opened 6 years ago

pleegor commented 6 years ago

I am having issues escrowing keys on macos 10.13.. New key is being generated, but it is not being "shipped" to JSS. I have a FileVault encryption payload that encrypts disk and sends recovery key to JSS. Was anyone able to make this workflow working on 10.13.?

jelockwood commented 6 years ago

I am not using this project but I did have problems escrowing FileVault recovery keys with High Sierra. The issue is down to the fact that High Sierra now uses/requires user accounts to have a 'Secure Token' in order to be FileVault enabled. Since the way the jamfmanagement account is created results in it not having a secure token this means the jamfmanagement account is not authorised to perform FileVault tasks.

With the help of JAMF I have implemented a solution for this. It involves running a script - once on the client Mac, it does at the moment require user interaction as the user has to provide the password for their FileVault enabled admin account so it can authorised creating a secure token for the jamfmanagement account. The script for this is here - https://github.com/kc9wwh/FileVaultEnableAdminAccount it is actually based on this project.

Once the jamfmanagement account has a secure token it can then auto-rotate the FileVault recovery key and re-escrow the updated key.

Once catch - the above script as currently written checks and insists that the machine is fully FileVault encrypted, it will not run whilst encryption is in progress so you need to use a smartgroup to check for a fully completed encryption.

The script is being passed the username and password for a local admin account on the client Mac. I also have this created as standard and I can therefore include these details as parameters. I then after encryption and this secure token process are complete (via another smart group) have another script and policy called LAPS which randomises and rotates the password for this account. This is a project here - https://github.com/unl/LAPSforMac

In theory since the local admin password is known to JAMF and stored in JAMF as an extension attribute it should be possible to modify the script and policy for creating the secure token to look that up and pass it as the parameter. I have opened this as a ticket here - https://github.com/kc9wwh/FileVaultEnableAdminAccount/issues/2 however I am getting the impression the project maybe semi abandoned as there is no activity from the author for a while.

So I think your problem maybe down to the jamfmanagement account not having a secure token, you can check this by doing the following on the client Mac.

sudo systemctl -secureTokenStatus nameofjamfmanagementaccount

If it returns enabled it has a secure token if it returns disabled it does not. If it is disabled then you need to look at the above solution to give the jamfmanagement account a secure token.