GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → homebysix → Jss Filevault Reissue

homebysix / Jss Filevault Reissue

Licence: apache-2.0
A framework for re-escrowing missing or invalid FileVault keys with Jamf Pro.

Programming Languages

shell
77523 projects

Labels

macosmacadminjss

Projects that are alternatives of or similar to Jss Filevault Reissue

Macvars
command library for scripting osx
Stars: ✭ 34 (-74.24%)
Mutual labels:  macadmin
React Jss
JSS integration for React (Migrated to a Monorepo it JSS repository)
Stars: ✭ 1,212 (+818.18%)
Mutual labels:  jss
Css In React
🍭 CSS in React - Learn the best CSS in JS frameworks by example
Stars: ✭ 101 (-23.48%)
Mutual labels:  jss
Fleet
A flexible control server for osquery fleets
Stars: ✭ 1,068 (+709.09%)
Mutual labels:  macadmin
Docklib
Python module intended to assist IT administrators with manipulation of the macOS Dock.
Stars: ✭ 73 (-44.7%)
Mutual labels:  macadmin
Micromdm
Mobile Device Management server
Stars: ✭ 1,238 (+837.88%)
Mutual labels:  macadmin
Jss
JSS is an authoring tool for CSS which uses JavaScript as a host language.
Stars: ✭ 6,576 (+4881.82%)
Mutual labels:  jss
Desktoppr
Simple command line tool to set the desktop picture on macOS
Stars: ✭ 127 (-3.79%)
Mutual labels:  macadmin
Ieasemusic
网易云音乐第三方
Stars: ✭ 8,572 (+6393.94%)
Mutual labels:  jss
Moroz
Moroz is a Santa server
Stars: ✭ 93 (-29.55%)
Mutual labels:  macadmin
Cli
A command line tool for JSS.
Stars: ✭ 54 (-59.09%)
Mutual labels:  jss
Material Ui Layout
Declarative layout for Material UI
Stars: ✭ 71 (-46.21%)
Mutual labels:  jss
Scale
The Scale library offers a set of customizable web components written with Stencil.js & TypeScript. The default theme of the library can be easily replaced so that a corresponding corporate identity of a dedicated brand can be represented.
Stars: ✭ 87 (-34.09%)
Mutual labels:  jss
Postjss
Use the power of PostCSS in compiling with JSS
Stars: ✭ 40 (-69.7%)
Mutual labels:  jss
Display manager
An open-source Python library which can modify your Mac's display settings manually or automatically.
Stars: ✭ 109 (-17.42%)
Mutual labels:  macadmin
Gatsby Starter Personal Blog
A ready to use, easy to customize, fully equipped GatsbyJS blog starter with 'like app' layout and views transitions.
Stars: ✭ 817 (+518.94%)
Mutual labels:  jss
Mac Zsh Completions
macOS specific additional completion definitions for Zsh.
Stars: ✭ 79 (-40.15%)
Mutual labels:  macadmin
Firmware password manager
A Python script to help Macintosh administrators manage the firmware passwords of their computers.
Stars: ✭ 127 (-3.79%)
Mutual labels:  macadmin
Privacy services manager
A single management utility to administer Location Services, Contacts requests, Accessibility, and iCloud access in Apple's OS X.
Stars: ✭ 115 (-12.88%)
Mutual labels:  macadmin
React Usestyles
🖍 Style components using React hooks. Abstracts the styling library away.
Stars: ✭ 89 (-32.58%)
Mutual labels:  jss
View All Similar Projects ➔

Reissuing FileVault keys with the Casper Suite

Presented by Elliot Jordan, Senior Consultant, Linde Group
MacBrained - January 27, 2015 - San Francisco, CA

Table of Contents

The Problem

FileVault individual recovery keys can be missing from the JSS for many reasons.

  • Perhaps the Mac was encrypted prior to enrollment.
  • The Mac was encrypted prior to the FileVault redirection profile installation.
  • The original recovery key was lost for some reason (e.g. database corruption or a bug of some kind).

FileVault is encrypted   FileVault is "not configured"

The Solution

You can use a policy to generate a new FileVault key and upload to JSS.

  1. A configuration profile ensures that all FileVault keys are escrowed with the JSS.
  2. A smart group determines which computers lack valid individual recovery keys.
  3. Customize the reissue_filevault_recovery_key.sh for your environment.
  4. Create a policy that deploys the reissue_filevault_recovery_key.sh script to the computers in the smart group.

Notification

Password Prompt

Step One: Configuration Profile

A configuration profile called “Redirect FileVault keys to JSS” does what the name says.

  • General
    • Distribution Method: Install Automatically
    • Level: Computer Level
  • FileVault Recovery Key Redirection
    • Automatically redirect recovery keys to the JSS
  • Scope
    • All computers

Step Two: Smart Group

A smart group named “FileVault encryption key is invalid or unknown” selects the affected Macs.

And/Or Criteria Operator Value
FileVault 2 Individual Key Validation is not Valid
and Last Check-in less than x days ago 30
and FileVault 2 Detailed Status* is FileVault 2 Encryption Complete

*From Rich Trouton’s FileVault status extension attribute: http://goo.gl/zB04LT

Step Three: Script

The reissue_filevault_recovery_key.sh script runs on each affected Mac.

  • Start by customizing the reissue_filevault_recovery_key.sh script as needed for your environment.
    • Email affected employees to give them a heads up.
    • Use jamfHelper to announce the upcoming password prompt.
    • Add logo to AppleScript password prompt.
    • Fail silently if logo files aren’t present, or any other problems detected.
    • Verify the Mac login password, with 5 chances to enter correct password.

Here is the section of the script you'll want to customize:

Script screenshot

Step Four: Policy

A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.

  • General
    • Trigger: Recurring Check-In
    • Execution Frequency: Once per computer
  • Packages
    • AppleScriptCustomIcon.dmg (loads /tmp/Pinterest.icns)
  • Scripts
    • reissue_filevault_recovery_key.sh (priority: After)
  • Scope
    • Smart Group: FileVault encryption key is invalid or unknown

Follow Through

Don’t forget to monitor policy logs and test FileVault recovery to verify success.

  • Monitor logs and flush one-off errors. (Unable to connect to distribution point, no user logged in, etc.)
  • Identify and resolve remaining problems manually.
  • Test a few newly-generated FileVault keys to ensure they are working as expected.
  • Update your internal documentation.

Compatibility

High Sierra (10.13) and Mojave (10.14)

This script appears to work with macOS High Sierra and Mojave, but there are a few known issues:

  • On specific versions of High Sierra, entering an incorrect password during the key rotation process can result in invalidation of the existing FileVault key.
    • Since the existing FileVault key is not valid in the first place (presumably) this isn't the end of the world. But it means that if the key was stored separately, e.g. in a spreadsheet somewhere, it will no longer work.
    • We attempt to mitigate this by validating the provided password with dscl prior to using it for rotation of the FileVault key. However, there is no guarantee that your local account password and your FileVault password are the same.
  • Previous versions of macOS generated log output that confirmed the successful escrow of the newly generated FileVault key. High Sierra and Mojave do not. Instead, a local file containing the new key is written, which MDM is meant to retrieve. We attempt to determine escrow success by detecting a change in that file, but it's not a guarantee of success.
  • If you find additional issues with High Sierra or Mojave, I'd appreciate you opening an issue on this repo.

Catalina (10.15)

This script should work on macOS Catalina, but please open an issue if you notice any Catalina-specific bugs.

Thank you!

See the original presentation slides.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].