Troubleshooting - macadmins/escrow-buddy GitHub Wiki

If Escrow Buddy is not working as expected for you, here are some items to consider before reaching out for help. Also check our FAQ page for some useful tips, including how to retrieve Escrow Buddy logs.

Is the plugin properly installed and configured?

The following indicators will be present on Macs when Escrow Buddy is installed and configured:

  • The Escrow Buddy bundle is installed at /Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle

  • The output of /usr/bin/security authorizationdb read system.login.console contains the following line:

      <string>Escrow Buddy:Invoke,privileged</string>

  • On a Mac with no valid recovery key in MDM, the output of defaults read /Library/Preferences/com.netflix.Escrow-Buddy GenerateNewKey should be 1 (true)

Is the plugin up to date?

You can check which version of the Escrow Buddy bundle is installed with this command:

defaults read /Library/Security/SecurityAgentPlugins/Escrow\ Buddy.bundle/Contents/Info.plist CFBundleShortVersionString

The above could be incorporated into a device fact or extension attribute in your management framework, if you choose.

You can also use this command to output the date/time Escrow Buddy was most recently installed:

date -r $(pkgutil --pkg-info com.netflix.Escrow-Buddy | awk '/install-time/{print $NF}')

Is the user logging in FileVault-authorized?

Escrow Buddy will only generate a new key upon login if the user who is logging in is FileVault-authorized. The list of FileVault-authorized users can be viewed using this command:

sudo fdesetup list

Was the pre-escrow .dat file created?

After a new PRK is generated, it is encrypted with the certificate provided in the escrow profile, wrapped in a CMS envelope, and stored at /var/db/FileVaultPRK.dat (per Apple documentation). You can inspect the metadata of this file using this command:

openssl cms -cmsout -in /var/db/FileVaultPRK.dat -inform DER -noout -print

The output should look similar to this:

% openssl cms -cmsout -in /var/db/FileVaultPRK.dat -inform DER -noout -print
CMS_ContentInfo:
  contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3)
  d.envelopedData:
    version: <ABSENT>
    originatorInfo: <ABSENT>
    recipientInfos:
      d.ktri:
        version: <ABSENT>
        d.issuerAndSerialNumber:
          issuer: CN=PretendCo JSS Built-in Certificate Authority
          serialNumber: 810123025
        keyEncryptionAlgorithm:
          algorithm: rsaEncryption (1.2.840.113549.1.1.1)
          parameter: NULL
        encryptedKey:
          0000 - aa cd 50 aa a6 dc 0d 3f-cd ed e5 b6 be 34 4e   p.P....?.....4N
          [...abridged...]
          00ff - aa                                             .
    encryptedContentInfo:
      contentType: pkcs7-data (1.2.840.113549.1.7.1)
      contentEncryptionAlgorithm:
        algorithm: des-ede3-cbc (1.2.840.113549.3.7)
        parameter: OCTET STRING:
          0000 - 26 9d aa 86 5a 35 72 1e-                       &.]aZ5r.
      encryptedContent:
        0000 - ed 5b 12 62 aa 5d 74 fe-ea ce cc 66 ca 50 60   .[.b5]ta...f.P`
          [...abridged...]
        001e - aa b1                                          .a
    unprotectedAttrs:
      <EMPTY>

Does the Mac have network connectivity?

If the Mac is offline at login time, the key will be stored locally until the next time the Mac connects to the Internet and communicates with your MDM.

Did your MDM retrieve the key?

New PRKs are retrieved by Jamf using the SecurityInfo command, and the timing/frequency of this command varies by MDM vendor. Contact your MDM vendor for specifics.

For example, with Jamf, the key is retrieved when a recon (inventory update) operation occurs. The key may not show as "valid" in Jamf until the next recon. (See this article for some details and example scenarios.)

Does the Mac have a broken MDM agent?

Check to ensure your Mac is still in communication with your MDM. Good indicators of this are:

  • System Settings > Privacy & Security > Profiles shows the expected profiles
  • Commands and profile installations/removals from your MDM server are not stuck in "pending" state
  • Running log stream --predicate 'process="mdmclient"' while initiating a push command from MDM shows some output

Are users being blocked from logging in?

See the Recovery page.

I've read all of the above and I'm still having a problem. How can I get help?

If you're encountering issues not addressed above or on our FAQ page, please search our issues (both open and closed) to see whether your issue has already been addressed there. If not, you can open an issue.

For a faster and more focused response, be sure to provide the following in your issue:

  • Log output (see wiki for information on retrieving logs)
  • macOS version you're deploying to
  • MDM (name and version) you're using
  • What troubleshooting steps you've already taken
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️