JAMF Pro FileVault Key re-escro

Don't let your users get locked out.





Disclaimer: think this through, read the solution. In this blog I am sharing a solution with fellow IT pros. I am offering insight into what I did to solve this issue for my own clients when I have encountered it, I am not telling you to do the same. iLogix Computer Solutions are not accountable for any issues introduced.


Scenario: You have FileVault enabled on your Macs through JAMF Pro with our Recovery Key Escrowed to JAMF Pro. This means you can help a user should they forget their Mac password and are unable to unlock their FileVault enabled Mac. FileVault will ensure that if the Mac is lost or stolen the users data will not be compromised.


We have created policies and profiles to force FileVault on our Macs in JAMF Pro.


However in JAMF Pro the inventory for some computers shows the following under inventory / Disk Encryption:

Where is the recovery key? this is serious as it could result in dataloss.


Solution: Create a bash script in JAMF Pro. Read through the script here and make any changes you need. It should not need much if any editing.

#!/bin/bash


####################################################################################################

#

# Copyright (c) 2017, JAMF Software, LLC. All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

# * Redistributions of source code must retain the above copyright

# notice, this list of conditions and the following disclaimer.

# * Redistributions in binary form must reproduce the above copyright

# notice, this list of conditions and the following disclaimer in the

# documentation and/or other materials provided with the distribution.

# * Neither the name of the JAMF Software, LLC nor the

# names of its contributors may be used to endorse or promote products

# derived from this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY

# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY

# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#

####################################################################################################

#

# Description

#

# The purpose of this script is to allow a new individual recovery key to be issued

# if the current key is invalid and the management account is not enabled for FV2,

# or if the machine was encrypted outside of the JSS.

#

# First put a configuration profile for FV2 recovery key redirection in place.

# Ensure keys are being redirected to your JSS.

#

# This script will prompt the user for their password so a new FV2 individual

# recovery key can be issued and redirected to the JSS.

#

####################################################################################################

#

# HISTORY

#

# -Created by Sam Fortuna on Sept. 5, 2014

# -Updated by Sam Fortuna on Nov. 18, 2014

# -Added support for 10.10

# -Updated by Sam Fortuna on June 23, 2015

# -Properly escapes special characters in user passwords

# -Updated by Bram Cohen on May 27, 2016

# -Pipe FV key and password to /dev/null

# -Updated by Jordan Wisniewski on Dec 5, 2016

# -Removed quotes for 'send {${userPass}} ' so

# passwords with spaces work.

# -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017

# - Fixed an issue with usernames that contain

# sub-string matches of each other.

# -Updated by Bram Cohen on Jan 3, 2018

# - 10.13 adds a new prompt for username before password in changerecovery

# -Updated by Matt Boyle on July 6, 2018

# - Error handeling, custom Window Lables, Messages and FV2 Icon

# -Updated by David Raabe on July 26, 2018

# - Added Custom Branding to pop up windows

# -Updated by Sebastien Del Saz Alvarez on January 22, 2021

# -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur

####################################################################################################

#

# Parameter 4 = Set organization name in pop up window

# Parameter 5 = Failed Attempts until Stop

# Parameter 6 = Custom text for contact information.

# Parameter 7 = Custom Branding - Defaults to Self Service Icon

#Customizing Window


selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png"

jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"

fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"


if [ ! -z "$4" ]

then

orgName="$4 -"

fi


if [ ! -z "$6" ]

then

haltMsg="$6"

else

haltMsg="Please Contact IT for Further assistance."

fi


if [[ ! -z "$7" ]]; then

brandIcon="$7"

elif [[ -f $selfServiceBrandIcon ]]; then

brandIcon=$selfServiceBrandIcon

elif [[ -f $jamfBrandIcon ]]; then

brandIcon=$jamfBrandIcon

else

brandIcon=$fileVaultIcon

fi



## Get the logged in user's name

userName=$(/usr/bin/stat -f%Su /dev/console)


## Grab the UUID of the User

userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}')


## Get the OS build

BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}`


## This first user check sees if the logged in account is already authorized with FileVault 2

userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'`

if [ "${userCheck}" != "${userName}" ]; then

echo "This user is not a FileVault 2 enabled user."

exit 3

fi


## Counter for Attempts

try=0

if [ ! -z "$5" ]

then

maxTry=$5

else

maxTry=2

fi


## Check to see if the encryption process is complete

encryptCheck=`fdesetup status`

statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")

expectedStatus="FileVault is On."

if [ "${statusCheck}" != "${expectedStatus}" ]; then

echo "The encryption process has not completed."

echo "${encryptCheck}"

exit 4

fi


passwordPrompt () {

## Get the logged in user's password via a prompt

echo "Prompting ${userName} for their login password."

userPass=$(/usr/bin/osascript -e "

on run

display dialog \"To generate a new FileVault key\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"$orgName FileVault Key Reset\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer

set userPass to text returned of the result

return userPass

end run")

if [ "$?" == "1" ]

then

echo "User Canceled"

exit 0

fi

try=$((try+1))

if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then

## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output

result=$(expect -c "

log_user 0

spawn fdesetup changerecovery -personal

expect \"Enter a password for '/', or the recovery key:\"

send {${userPass}}

send \r

log_user 1

expect eof

" >> /dev/null)

elif [[ $BUILD -ge 17 ]]; then

result=$(expect -c "

log_user 0

spawn fdesetup changerecovery -personal

expect \"Enter the user name:\"

send {${userName}}

send \r

expect \"Enter a password for '/', or the recovery key:\"

send {${userPass}}

send \r

log_user 1

expect eof

")

else

echo "OS version not 10.9+ or OS version unrecognized"

echo "$(/usr/bin/sw_vers -productVersion)"

exit 5

fi

}


successAlert () {

/usr/bin/osascript -e "

on run

display dialog \"\" & return & \"Your FileVault Key was successfully Changed\" with title \"$orgName FileVault Key Reset\" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\"

end run"

}


errorAlert () {

/usr/bin/osascript -e "

on run

display dialog \"FileVault Key not Changed\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\"

end run"

if [ "$?" == "1" ]

then

echo "User Canceled"

exit 0

else

try=$(($try+1))

fi

}


haltAlert () {

/usr/bin/osascript -e "

on run

display dialog \"FileVault Key not changed\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\"

end run

"

}


while true

do

passwordPrompt

if [[ $result = *"Error"* ]]

then

echo "Error Changing Key"

if [ $try -ge $maxTry ]

then

haltAlert

echo "Quitting.. Too Many failures"

exit 0

else

echo $result

errorAlert

fi

else

echo "Successfully Changed FV2 Key"

successAlert

exit 0

fi

done

We add our script here.


Create a smart computer group in JAMF Pro to target any computer that does not have its recovery key available in JAMF Pro.

Create a policy scoped to this Smart Group and add the bash script to it. Publish it in Self Service.


Ask your users to run this script.


Next time we check our inventory we will be able to reveal the FileVault Recovery Key.




iLogix Computer Solutions are Apple and JAMF Certified. We support more than just your Mac hardware. Call us for more information and of course call us for help.


Mac support Basingstoke - Mac support Guildford - Mac support Farnborough

Mac support Reading - Mac support Camberley - Mac support Yateley


iLogix Computer Solutions - 01252 962898

4 views