Skip to content

A macOS authorization plugin that helps MDM administrators ensure valid FileVault keys are escrowed for all their Macs.

License

Notifications You must be signed in to change notification settings

amacomber/escrow-buddy

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Escrow Buddy

Escrow Buddy is a macOS authorization plugin that allows MDM administrators to generate and escrow new FileVault personal recovery keys on Macs that lack a valid escrowed key in MDM.

For more context around the problem of missing FileVault keys in MDM and Escrow Buddy's origin, see this post on the Netflix Tech Blog.

If you've successfully deployed Escrow Buddy, we'd love to know the details in this brief survey. Thank you!


Requirements

  • Your managed Macs must:
    • be enrolled in an MDM
    • have macOS Mojave 10.14.4 or newer
  • Your MDM must:
    • support FileVault recovery key escrow
    • deploy a configuration profile with the FDERecoveryKeyEscrow payload
    • have the ability to install packages and run shell scripts

NOTE: Escrow Buddy only works with MDM-based escrow solutions, not escrow servers like Crypt Server or Cauliflower Vest.


Deployment

  1. Ensure you have an escrow profile scoped to all Macs with the FDERecoveryKeyEscrow payload.

    This will ensure that any newly generated FileVault recovery key, no matter how it's generated, will be escrowed to your MDM server.

  2. Use your MDM to install the latest Escrow Buddy installer package on your Macs.

    You can choose to install on all Macs or limit to those that need FileVault recovery keys escrowed.

  3. Use your MDM to run this command (in root context) on Macs that do not have a valid FileVault recovery key escrowed:

     defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
    

    It is recommended to have this script run dynamically on Macs that need it using your MDM's dynamic scoping feature. See the Examples page for examples.

That's it! The next time a FileVault-authorized user logs in to the Mac, a new FileVault personal recovery key will be generated and escrowed to your MDM.


Support

See the wiki for Frequently Asked Questions and Troubleshooting resources.

If you've read those pages and are still having problems, please search our issues (both open and closed) to see whether your issue has already been addressed there. If not, you can open an issue.

For a faster and more focused response, be sure to provide the following in your issue:

  • Log output (see wiki for information on retrieving logs)
  • macOS version you're deploying to
  • MDM (name and version) you're using
  • What troubleshooting steps you've already taken

Contribution

Contributions are welcome! To contribute, create a fork of this repository, commit and push changes to a branch of your fork, and then submit a pull request. Your changes will be reviewed by a project maintainer.

Contributions don't have to be code; we appreciate any help maintaining our wiki or answering issues.

Also, if you've successfully deployed Escrow Buddy at your organization, please consider submitting our brief survey for measuring the project's community impact.


Credits

Escrow Buddy was created by the Netflix Client Systems Engineering team.

The Crypt project was a major inspiration in the creation of this tool — huge thanks to Graham, Wes, and the Crypt team! Jeremy Baker and Tom Burgin's 2015 PSU MacAdmins session on authorization plugins was also a valuable resource.

Escrow Buddy is licensed under the Apache License, version 2.0.

About

A macOS authorization plugin that helps MDM administrators ensure valid FileVault keys are escrowed for all their Macs.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Objective-C 36.7%
  • Swift 34.6%
  • Shell 28.7%