Workspace ONE - macadmins/escrow-buddy GitHub Wiki
For initial deployment of Escrow Buddy, Workspace ONE administrators can follow this template:
This profile ensures all new FileVault keys are escrowed to Workspace ONE at next MDM Protocol Checkin.
- Add Profile > macOS > Device > Disk Encryption
- Configure the Disk Encryption payload
- Recovery Key Type: "Personal"
- Escrow Personal Recovery Key to UEM Server: Enabled
- Most other settings you can leave at default or customize to your organization's needs
- Assign your profile as appropriate for your environment.
This is a suggestion for a Sensor which will help report on which devices do not have their key escrowed. If the device does not have the key escrowed it will request Escrow Buddy (if installed) to regenerate the key. It has been updated to reflect changes from VMware to Omnissa naming.
- Sensors > Add > macOS
- Configure the Sensor:
- Language: Bash
- Execution Context: System
- Response Data Type: String
- Save and assign as appropriate
- Recommend setting Deployment Trigger to "Periodically"
#!/bin/bash
FDE_STATUS=$(fdesetup status)
ESCROW_PLIST="/var/db/ConfigurationProfiles/Settings/com.apple.security.FDERecoveryKeyEscrow.plist"
WS1_LOCATION1="VMware AirWatch"
WS1_LOCATION2="Workspace ONE UEM"
PRK_LOCATION="/var/db/FileVaultPRK.dat"
WS1_PRK_ISSUER="AwDiskEncryption"
echo -n "$FDE_STATUS "
if [ "FileVault is On." != "$FDE_STATUS" ]; then
exit 0
fi
if [ -a "$ESCROW_PLIST" ]; then
#verify key location is set correctly
escrowLocation=$(defaults read "$ESCROW_PLIST" Location)
if [[ "$escrowLocation" == "$WS1_LOCATION1" || "$escrowLocation" == "$WS1_LOCATION2" ]]; then
#verify key has been generated
prkIssuer=$(/usr/bin/openssl cms -cmsout -in "$PRK_LOCATION" -inform DER -noout -print | /usr/bin/grep "issuer:")
if [[ "$prkIssuer" = *"$WS1_PRK_ISSUER"* ]]; then
#key is escrowed properly
echo "Key Set to be Escrowed to: $(defaults read "$ESCROW_PLIST" Location)"
else
#key is not escrowed properly
echo "KEY NOT ESCROWED"
## ENFORCES KEY REGENERATION VIA ESCROW BUDDY
#check if escrow buddy is installed
escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
if [ -d "$escrowBuddyBundle" ]; then
#request escrow buddy to regenerate a new key upon next login
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
echo "Escrow Buddy GenerateNewKey Flag Enabled"
fi
fi
else
#key is using wrong location - WS1 profile not installed
echo "Key not set to escrow to WS1"
fi
else
# FDERecoveryKeyEscrow profile key is missing
echo "FDERecoveryKeyEscrow Profile Not Installed"
fi
exit 0- FileVault if Off.
- FileVault has not been enabled on the device. Ensure you have deployed the Disk Encryption profile.
- FileVault is On. Key Set to be Escrowed to: Workspace ONE UEM
- FileVault is enabled and key is being escrowed WS1 properly (GOOD STATE)
- FileVault is On. KEY NOT ESCROWED
- FileVault is enabled and key is not being escrowed WS1 properly
- FileVault is On. KEY NOT ESCROWED Escrow Buddy GenerateNewKey Flag Enabled
- FileVault is enabled and key is being escrowed WS1 properly, but Escrow Buddy has been set to regenerate the key
- FileVault is On. Key not set to escrow to WS1
- FileVault is enabled and key is being escrowed, but not to WS1. Perhaps a prior MDM if device has been migrated. Ensure you have configured the Disk Encryption profile properly.
- FileVault is On. FDERecoveryKeyEscrow Profile Not Installed
- FileVault is enabled, but no recovery key has been set to be escrowed. Ensure you have configured the Disk Encryption profile properly.
Latest Escrow Buddy package downloaded from this page
-
Once you have downloaded the pkg, parse the pkg using the Workspace ONE Admin Assistant
-
Upload the output (pkg and plist) to WS1 under Resources>Apps>Native
-
Configure the following scripts:
- Install Check Script
#!/bin/bash target_version=1.0.0 appName="Escrow Buddy" escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle" dbEntry="<string>Escrow Buddy:Invoke,privileged</string>" VERSION_KEY="CFBundleShortVersionString" # Check if escrow buddy is installed First if [ -f "$escrowBuddyBundle/Contents/Info.plist" ]; then #get current version of escrow buddy current_version=$(defaults read "$escrowBuddyBundle/Contents/Info.plist" "$VERSION_KEY") echo current version: $current_version #convert version number to individual function version { echo "$@" | /usr/bin/awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; } # Compare with the version we want to install if [ $(version $current_version) -lt $(version $target_version) ]; then # version installed is less than target - install echo "Install $appName" exit 0 else # version installed is same or greater than target echo "$appName is installed" # check if auth db needs repair if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$dbEntry"; then echo "Auth Enabled" exit 1 else echo "Auth Disabled - reinstall" exit 0 fi fi else # escrow buddy is not installed - need to install echo "Install $appName" exit 0 fi
- Uninstall Script
- Assign the app as appropriate for your environment with the following settings:
- App Delivery Method: Auto
- Display in App Catalog: Disabled
- Remove on Unenroll: Enabled
- Desired State Management: Enabled
This function is handled automatically through the use of the Install Check Script and Desired State Management within Workspace ONE.
As the uninstall script is provided in the package deployment details of Workspace ONE, whenever the app is removed (admin initiated, MDM removed, Freestyle, etc.) the app will be removed properly using the script.
If you have Freestyle Orchestrator enabled in your environment, consider using it to assign the app to devices:
- Utilize the Sensor value "FileVault is On. KEY NOT ESCROWED" as the criteria for app install
- In this method also remove the following lines from the Sensor script and add to the app's post install script:
## ENFORCES KEY REGENERATION VIA ESCROW BUDDY #check if escrow buddy is installed escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle" if [ -d "$escrowBuddyBundle" ]; then #request escrow buddy to regenerate a new key upon next login defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true echo "Escrow Buddy GenerateNewKey Flag Enabled" fi