This PR adds support for macOS High Sierra's new FileVault personal recovery key escrow functionality.
We check for the existence of /var/db/FileVaultPRK.dat, which is an encrypted file containing the personal recovery key for the device. The device's MDM is responsible for collecting and decrypting the file, which is not covered within the scope of this workflow. We cannot provide assurance this has taken place, so our best bet is to determine if the file has been modified after we attempt to rotate the recovery key. An updated modification time (or creation of the file if not previously existent) provides reasonable assurance the process worked correctly. Communication of the key back to the Jamf Pro Server is the responsibility of Jamf's MDMmonitor sending a successful SecurityInfo command.
"Recovery Key Redirection" functionality is still intact for 10.9–10.12, so this script does not break on "older" operating systems.
Additionally, this PR updates the collection of the current console user's username to the "Apple approved" method.
homebysix
commented
6 years ago
This PR adds support for macOS High Sierra's new FileVault personal recovery key escrow functionality.
We check for the existence of
/var/db/FileVaultPRK.dat, which is an encrypted file containing the personal recovery key for the device. The device's MDM is responsible for collecting and decrypting the file, which is not covered within the scope of this workflow. We cannot provide assurance this has taken place, so our best bet is to determine if the file has been modified after we attempt to rotate the recovery key. An updated modification time (or creation of the file if not previously existent) provides reasonable assurance the process worked correctly. Communication of the key back to the Jamf Pro Server is the responsibility of Jamf's MDMmonitor sending a successfulSecurityInfocommand."Recovery Key Redirection" functionality is still intact for 10.9–10.12, so this script does not break on "older" operating systems.
Additionally, this PR updates the collection of the current console user's username to the "Apple approved" method.