Kandji - macadmins/escrow-buddy GitHub Wiki

Contents

• Deployment
  • Library Item: FileVault
  • Library Item: Custom App: Escrow Buddy
• Authorization database maintenance
• Removal
• Other Iru tips
  • Getting Escrow Buddy version
  • Speeding up time between key generation and escrow
  • Detecting escrow recidivism
  • Tracking FileVault escrow metrics

Deployment

For initial deployment of Escrow Buddy, Iru (formerly known as Kandji) administrators can follow this template:

Library Item: FileVault

Ensure the Escrow Recovery Keys to Iru option is enabled. See this KB article for details.

NOTE: Enabling this option will present a FileVault Recovery Key "action" in the Iru menu item. Users can either log out and let Escrow Buddy generate a new key silently upon next login, or they can follow the prompt in the Iru menu to generate a new key by providing their password. Either way, the result will be the same: the new key will be escrowed to Iru.

Library Item: Custom App: Escrow Buddy

This library item installs Escrow Buddy.

• Custom App Name: Escrow Buddy

• Assignment Rules: One or more Mac blueprints

• Execution Frequency: Audit and enforce

  • Audit Script:

    #!/bin/bash
    BUNDLE_PATH="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
    [ -d "$BUNDLE_PATH" ](/macadmins/escrow-buddy/wiki/--d-"$BUNDLE_PATH"-) || exit 1
    

• Package: Latest Escrow Buddy package downloaded from this page

• Restart after successful install: No

See this Iru KB for details.

Authorization database maintenance

Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.

To resolve this with Iru, you can use the following:

[!NOTE] HELP WANTED: If you're an Iru admin, please consider contributing to this section. The ideal solution would be an audit script that detects authdb status, and a remediation script that re-runs AuthDBSetup.sh if needed.

Removal

To uninstall Escrow Buddy using Iru, you can use a once-per-computer Library Item with the uninstall script here attached.

Other Iru tips

Getting Escrow Buddy version

[!NOTE] HELP WANTED: If you're an Iru admin, please consider contributing to this section.

Speeding up time between key generation and escrow

This blog post provides a method of triggering kandji update-mdm immediately after new FileVault keys are generated and ready to escrow.

Detecting escrow recidivism

[!NOTE] HELP WANTED: If you're an Iru admin, please consider contributing to this section.

Tracking FileVault escrow metrics

[!NOTE] HELP WANTED: If you're an Iru admin, please consider contributing to this section.