Mosyle - macadmins/escrow-buddy GitHub Wiki

• Deployment
  • Profile: Security & Privacy
  • Criteria Group: Devices with FileVault Enabled and No Key Escrowed
  • Installing Escrow Buddy
    • via Installomator
    • via Mosyle CDN and Bash Script
  • Custom Command: Configure Escrow Buddy to regenerate FileVault key at next login
• Authorization database maintenance
  • Device attribute: Escrow Buddy authdb status
  • Criteria Group: Escrow Buddy installed but not in authorization database
• Removal
• Other Mosyle tips
  • Getting Escrow Buddy version
  • Detecting escrow issues

For initial deployment of Escrow Buddy, Mosyle administrators can follow this template:

This profile ensures all new FileVault keys are escrowed to Mosyle at next MDM Protocol Checkin.

• Security & Privacy
• Configure the FileVault tab
  • Remember to also either configure the additional tabs (General/Firewall) or select "Do not configure the options on this tab"
• Require FileVault
  • Select an option that will create a "personal FileVault recovery key"
  • Check the box to "Escrow personal Recovery Key"
  • Enter an Escrow Location Description (i.e. "Mosyle")
• Set your deferred enablement settings as desired
  • Consider how this setting will interact with any Criteria Groups you configure. You may wish to set the "Maximum number of times FileVault can be skipped" to 0 and enable Ask at login so that it is immediately forced upon the first reboot of the device.
• Assign your profile as appropriate for your environment.

This is a suggestion for a Criteria Group which will dynamically populate with any device that the Mosyle server does not have an escrowed key.

At the time of writing, Mosyle Criteria Groups update only once every 24 hours.

• Required Criteria - Last Update Info - Leave as default (i.e. is/was on or after Now) OR to populate immediately set is/was on or after to a date in the distant past like 01/01/2000
• Your Criteria - FDE Personal Recovery Key - is not - Escrowed

There are other useful Criteria you may wish to use to achieve proper scoping.

• FileVault Encryption - is - Enabled

• First Enroll Date - is/was before X day(s) ago - 2

• A Custom Command that runs every checkin to get a report from the device on whether FileVault is enabled and it has a profile with an instruction to escrow the key.

  #!/bin/bash
  FDE_STATUS=$(fdesetup status)
  ESCROW_PLIST="/var/db/ConfigurationProfiles/Settings/com.apple.security.FDERecoveryKeyEscrow.plist"
  
  echo -n "$FDE_STATUS "
  
  if [ "FileVault is On." != "$FDE_STATUS" ]; then
      exit 0
  fi
  
  if [ -a "$ESCROW_PLIST" ]; then
      echo "Key Set to be Escrowed to: $(defaults read "$ESCROW_PLIST" Location)"
  else
      echo "KEY NOT ESCROWED"
  fi
  
  exit 0

NOTE: A scripted installation is recommended over using Mosyle's InstallPKG profile. The Escrow Buddy pkg does not contain an app bundle. As a result, the InstallPKG profile will never show the proper installation status. This is a Mosyle limitation at the time of writing this guide.

If you use Installomator and have it deployed locally to your devices, you can use this one liner to install Escrow Buddy:

/usr/local/Installomator/Installomator.sh escrowbuddy NOTIFY=silent INSTALL=force

Using INSTALL=force can help alleviate issues as described in the "Authorization database maintenance" section below.

The escrowbuddy label is available in Installomator v10.5 and newer.

Mosyle support can provide you with a generic script to install PKGs upon request. Alternately, you can use a community script like this to script the download/installation of Escrow Buddy while hosting the PKG from your CDN.

This command configures the preference setting that tells Escrow Buddy to regenerate a new key upon next login (repeatedly, if the Mac stays within scope, every time it is executed).

Custom Command: defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true Alternatively, add this line to the end of your Installomator or Custom Command PKG Installation Script.

• Assignment for remediation: "Devices with FileVault Enabled and No Key Escrowed" smart group (see above)
• Execution Settings for remediation:
  • Only based on schedule or events
  • On custom date(s)
    • The admin should decide the best schedule for their own environment.
    • Likely you only want this to run once every few days, or once p/week.
• Assignment for one-off key rotation: "All Computers" or as needed
• Execution settings for one-off key rotation:
  • Every "Device Info" update
  • Only once (Event Required)
    • You will need to purge the results of the Custom Command for any individual device before this will run a second time.

Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login. See the FAQ page for details.

To resolve this with Mosyle, you can use the following:

Create a Custom Command named: "Escrow Buddy authdb Enabled"

This Custom Command can be set to "Show the command response as an attribute on Device Info" in order to determine whether Escrow Buddy is correctly configured in the macOS authorization database.

#!/bin/bash

escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
dbEntry="<string>Escrow Buddy:Invoke,privileged</string>"

if [ -d "$escrowBuddyBundle" ]; then
    echo -n "Installed - "
    if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$dbEntry"; then
        echo "Auth Enabled"
    else
        echo "Auth Disabled"
    fi
else
    echo "Not Installed"
fi

You can now set configure a criteria group based on the response of this command. If the response is Not Installed or Installed - Auth Disabled then the PKG installer should be run in order to remediate.

If you're automating this to ensure the tool is present on all of your devices, consider adding a Criteria for Enroll Date - is/was before X day(s) ago - 2. This will allow for the 24 hour delay in updating Criteria Groups with Mosyle.

To uninstall Escrow Buddy using Mosyle, you can copy/paste this entire script into a Custom Command and set whatever Execution is appropriate. Be sure to choose "Only Once".

Default Mosyle app inventory collection does not collect versions of non-app bundles like authorization plugins. You can use this Custom Command to retrieve the installed version of Escrow Buddy.

#!/bin/bash

BUNDLE_PATH="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
VERSION_KEY="CFBundleShortVersionString"

if [ -f "$BUNDLE_PATH/Contents/Info.plist" ]; then
    RESULT=$(defaults read "$BUNDLE_PATH/Contents/Info.plist" "$VERSION_KEY")
else
    RESULT="Not Installed"
fi

echo "$RESULT"

At this time, there is no method provided by Mosyle to programmatically verify that escrowed FileVault keys are valid.