Instantly share code, notes, and snippets.

@haircut /README.md
Last active Jul 18, 2018

Embed
What would you like to do?
How to manage ONLY FDE Recovery Key Escrow in Jamf Pro 9.101+

How to manage ONLY FDE Recovery Key Escrow in Jamf Pro 9.101+

The Jamf Pro GUI allows you to automatically set up the necessary payloads to manage the FDE Recovery Key Escrow process for macOS 10.13+.

However, the settings reside in the "Security & Privacy" grouping within the Jamf Pro GUI, forcing you to manage settings other than those related to recovery key escrow. You may inadvertently lock your users out of being able to make changes to the firewall, analytics settings, screen saver password requirement, etc.

You can upload a custom profile to the Jamf Pro Server that manages only FDE Recover Key Escrow preferences, but it takes a little work.

You'll also need to sign your resultant configuration profile to prevent the Jamf Pro Server from manipulating its contents or preventing deployment. You can use an Apple Developer certificate, or your Jamf Pro Server's CA (if self signed).

  1. Create a temporary configuration profile for doing this setup. Name it something disposable – you'll delete it when done. "TEMP - FDERKE Setup" works. Set the level to "Computer level." Make sure you do not add a scope to the profile; we're not deploying it.

  2. Click the "Security & Privacy" group, then click "Configure." Select the "FileVault" tab. Apply these preferences:

  • ☑️ Enable Escrow Personal Recovery Key
  • Escrow Location Description: Describe where the recovery key is being shipped. This is visible to the end-user, so "My Company IT" or whatever is appropriate. We'll edit this elsewhere, so you can leave it blank.
  • Device Key for Escrowed FileVault Recovery Key: Text displayed at the FileVault unlock screen when a user has apparently forgotten their password. Despite the help text, you should leave this blank. By default it will be replaced with the device's serial number which will aid your technicians in recovering the correct key.
  • Personal Recovery Key Encryption Certificate: Set to "Automatically encrypt and decrypt recovery key."
  1. Save the profile, then click the "Download" button.

  2. Next we'll convert the profile to a useable format. In Terminal, run these commands:

    /usr/bin/security cms -D -i /path/to/downloaded/profile.mobileconfig -o /path/to/de-signed.mobileconfig
    plutil -convert xml1 /path/to/de-signed.mobileconfig
    
  3. Copy the template-fde-recovery-key-escrow.mobileconfig included in this gist to a new file in your favorite text editor. Change the values of PayloadOrganization and Location as needed.

  4. Open the de-signed profile originally downloaded from the Jamf Pro Server in your text editor. Find the PayloadContent below PayloadCertificateFileName – it's the big, obvious block of certificate data. Copy and paste this to the same location in your edited template-fde-recovery-key-escrow.mobileconfig file, making sure you get the indentation correct. Save this file with a suitable name like FileVault Recovery Key Escrow.mobileconfig.

  5. Sign the new profile thusly:

    /usr/bin/security cms -S -N "Common Name of signing certificate in your keychain" -i /path/to/FileVault\ Recovery\ Key Escrow.mobileconfig -o /path/to/Signed-FileVault\ Recovery\ Key\ Escrow.mobileconfig
    

    "Common Name of signing certificate in your keychain" refers to any signing certificate in your login or System keychain.

  6. Delete the temporary configuration profile from your Jamf Pro Server.

  7. Upload your completed Signed-FileVault Recovery Key Escrow.mobileconfig profile to your Jamf Pro Server, then set an appropriate scope and deploy it.

Thanks to @opragel for the template/example configuration profile.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>EncryptCertPayloadUUID</key>
<string>AB1DF8E4-05FA-4614-92D5-85F3DFA0B42F</string>
<key>PayloadDisplayName</key>
<string>FileVault Recovery Key Escrow</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.security.FDERecoveryKeyEscrow.861711BA-DA66-4A29-B97D-C5A9213CEB6C</string>
<key>PayloadType</key>
<string>com.apple.security.FDERecoveryKeyEscrow</string>
<key>PayloadUUID</key>
<string>3FABE57F-3B52-4225-9F40-31FE8C1B2AD4</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Location</key>
<string>Indicates where the recovery key is being shipped.</string>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>FileVault2Comm.cer</string>
<key>PayloadContent</key>
<data>
PASTE YOUR CERT CONTENTS HERE
PASTE YOUR CERT CONTENTS HERE
PASTE YOUR CERT CONTENTS HERE
PASTE YOUR CERT CONTENTS HERE
PASTE YOUR CERT CONTENTS HERE
PASTE YOUR CERT CONTENTS HERE
PASTE YOUR CERT CONTENTS HERE
</data>
<key>PayloadDisplayName</key>
<string>Recovery Key Escrow Certificate</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.security.pkcs1.AB1DF8E4-05FA-4614-92D5-85F3DFA0B42F</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs1</string>
<key>PayloadUUID</key>
<string>AB1DF8E4-05FA-4614-92D5-85F3DFA0B42F</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Escrows recovery keys into company management system. Only supported on macOS 10.13 and up.</string>
<key>PayloadDisplayName</key>
<string>Escrow Recovery Keys</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>CBA0185B-66F5-4638-AC29-57A4C792AC46</string>
<key>PayloadOrganization</key>
<string>Contoso Inc</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>0B1D0A58-B539-472E-9191-8FE7AFA39E95</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
@jelockwood

This comment has been minimized.

jelockwood commented Jun 27, 2018

Thanks for this article. Here is a suggestion for a small improvement.

It might depend on a users environment and what signing certificates they have but in my experience the above is more likely to result in a mobileconfig that whilst signed and whilst it will work will be listed as 'unverified' in Profiles in System Preferences.

Annoyingly JAMF do not let you download the JSS code signing certificate and private key nor do they document where they might be located on the JSS. They do let you download the JSS Self Signed CA and private key which arguably are even more important than the code signing certificate and key. Therefore one can ensure you end up with a 'verified' mobileconfig profile by doing the following steps.

  1. Download the JSS self signed root CA and private key, this is done by logging in to your JSS, going to Global Management Settings, PKI Certificates, Management Certificate Template and then clicking on Create CA Backup, this will save the JSS self signed rootCA and private key as a .P12 file
  2. Using the downloaded JSS self signed rootCA and private key you need to create a code signing certificate, I used XCA a free frontend to OpenSSL to do this
  3. Install in to your Keychain the code signing certificate and private key
  4. Then use that code signing certificate to sign the mobileconfig as per step 7 in the original instructions from the author.

You can confirm it is present and correct using the following command

security find-identity -p codesigning

Since the code signing certificate is signed by the same JSS self signed rootCA as used for the rest of the JSS enrolment and mobileconfig profiles it will be listed as 'verified' by the client Mac.

Note: JAMF do not appear to set the code signing attribute on their own code signing certificate(s) - Apple do with Profile Manager and I did on my generated certificate and I recommend others do as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment