Kandji - macadmins/escrow-buddy GitHub Wiki

Contents

• Deployment
  • Library Item: FileVault
  • Library Item: Custom App: Escrow Buddy
• Authorization database maintenance
• Removal
• Other Kandji tips
  • Getting Escrow Buddy version
  • Speeding up time between key generation and escrow
  • Detecting escrow recidivism
  • Tracking FileVault escrow metrics

Deployment

For initial deployment of Escrow Buddy, Kandji administrators can follow this template:

Library Item: FileVault

Ensure the Escrow Recovery Keys to Kandji option is enabled. See this KB article for details.

NOTE: Enabling this option will present a FileVault Recovery Key "action" in the Kandji menu item. Users can either log out and let Escrow Buddy generate a new key silently upon next login, or they can follow the prompt in the Kandji menu to generate a new key by providing their password. Either way, the result will be the same: the new key will be escrowed to Kandji.

Library Item: Custom App: Escrow Buddy

This library item installs Escrow Buddy.

• Custom App Name: Escrow Buddy
• Assignment Rules: One or more Mac blueprints
• Execution Frequency: Audit and enforce
  • Audit Script:

    #!/bin/bash
    BUNDLE_PATH="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
    [ -d "$BUNDLE_PATH" ](/macadmins/escrow-buddy/wiki/--d-"$BUNDLE_PATH"-) || exit 1
    

• Package: Latest Escrow Buddy package downloaded from this page
• Restart after successful install: No

See this Kandji KB for details.

Authorization database maintenance

Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.

To resolve this with Kandji, you can use the following:

HELP WANTED: If you're a Kandji admin, please consider contributing to this section. The ideal solution would be an audit script that detects authdb status, and a remediation script that re-runs AuthDBSetup.sh if needed.

Removal

To uninstall Escrow Buddy using Kandji, you can use a once-per-computer Library Item with the uninstall script here attached.

Other Kandji tips

Getting Escrow Buddy version

HELP WANTED: If you're a Kandji admin, please consider contributing to this section.

Speeding up time between key generation and escrow

This blog post provides a method of triggering kandji update-mdm immediately after new FileVault keys are generated and ready to escrow.

Detecting escrow recidivism

HELP WANTED: If you're a Kandji admin, please consider contributing to this section.

Tracking FileVault escrow metrics

HELP WANTED: If you're a Kandji admin, please consider contributing to this section.