FileVault recovery key redirection profile changes in macOS High Sierra
For macOS Sierra and earlier, Apple had a dedicated FileVault Recovery Key Redirection profile payload for FileVault recovery key redirection. This profile was designed to work with a mobile device management (MDM) server, to allow the MDM server to act as a recovery key escrow service and store FileVault personal recovery keys.
Note: Jamf Pro will be used as the example MDM server in this post. However, similar functionality is available in other MDM services.
On macOS High Sierra, this FileVault Recovery Key Redirection profile payload no longer works. In its place, Apple has added new Enable Escrow Personal Recovery Key settings to the FileVault section of the existing Security profile payload.
Adding the recovery key redirection to the Security payload may cause issues in some environments, as the Security profile payload has other settings which those environments may prefer to manage separately, or not manage at all.
For those who prefer to manage FileVault recovery key redirection separately from the other settings managed by the Security payload, it is possible to create a profile (with some manual editing) which only manages FileVault recovery key redirection. For more details, see below the jump.
The first thing to do is to create a new profile (which should not be assigned to any Macs) and configure the Security profile payload with the desired recovery settings on your MDM server.
Once the profile is configured as desired, download a copy of the profile to your workstation. After downloading, the profileĀ can be edited to include only those settings which manage the FileVault recovery key redirection. To help with figuring out the appropriate settings, I have a sample profile available below.
Note: As currently set up, the sample profile doesn’t redirect recovery keys. It needs the relevant payload content (specifically the FileVault2Comm.cer certificate payload) from the Security profile created by your own MDM server:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>PayloadContent</key> | |
<array> | |
<dict> | |
<key>EncryptCertPayloadUUID</key> | |
<string>6D43BA68-7D93-4AF2-8C2A-704928872825</string> | |
<key>PayloadDescription</key> | |
<string></string> | |
<key>PayloadDisplayName</key> | |
<string>Company FileVault Recovery Key Redirection</string> | |
<key>PayloadEnabled</key> | |
<true/> | |
<key>PayloadIdentifier</key> | |
<string>com.company.fv2keyredirection.payload</string> | |
<key>PayloadOrganization</key> | |
<string>Company Name</string> | |
<key>PayloadType</key> | |
<string>com.apple.security.FDERecoveryKeyEscrow</string> | |
<key>PayloadUUID</key> | |
<string>76739088-CFEF-47CF-B42A-90C305441A5F</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
<key>Location</key> | |
<string>jamfpro.server.address.here</string> | |
</dict> | |
<dict> | |
<key>PayloadCertificateFileName</key> | |
<string>FileVault2Comm.cer</string> | |
<key>PayloadContent</key> | |
<data> | |
MIIGJTCCBA2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBsjELMAkGA1UEBhMCRlIx | |
DzANBgNVBAgMBkFsc2FjZTETMBEGA1UEBwwKU3RyYXNib3VyZzEYMBYGA1UECgwP | |
d3d3LmZyZWVsYW4ub3JnMRAwDgYDVQQLDAdmcmVlbGFuMS0wKwYDVQQDDCRGcmVl | |
bGFuIFNhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW | |
E2NvbnRhY3RAZnJlZWxhbi5vcmcwHhcNMTIwNDI3MTA1NDQwWhcNMjIwNDI1MTA1 | |
NDQwWjB8MQswCQYDVQQGEwJGUjEPMA0GA1UECAwGQWxzYWNlMRgwFgYDVQQKDA93 | |
d3cuZnJlZWxhbi5vcmcxEDAOBgNVBAsMB2ZyZWVsYW4xDDAKBgNVBAMMA2JvYjEi | |
MCAGCSqGSIb3DQEJARYTY29udGFjdEBmcmVlbGFuLm9yZzCCAiIwDQYJKoZIhvcN | |
AQEBBQADggIPADCCAgoCggIBAMI/QxRK1N1DWrlDXi27iaEXGPeuR0t69NTco+G3 | |
hToQIOu8URjYiyXGBJVPgOkFXAD0fCN70a2BWPGdQ8M37n9hA7X/KbsQGvuod5eb | |
3kx9P8r/U4w3MLaI8g6+fNySdslfIpYZC5HqnBiWn0PRnSKe2cMSn4AFhR9wu4dd | |
Y8FaUT1+aT12bbBW6ts/rvDNDBlIsfLVLuf6Et0VvIzcCcImnNwiUo7IHMHNAb0a | |
JMW+TxgI895ZHI9jpmMdT1qSaHpJlCZU0YO+FuRej3MvgTo6MID9V6l/G3vlD2wB | |
aPcfRUn+BjwIV2QnpQtVGLcwvghFcIvNQ+r8gB4DXMNSjalVU1X0YS6LUGRqMKdv | |
vbiAEu5mmNh4X6D1ZWpt9QnMYk1VVoAhdUhzTbnj+R2WySxdeU08xXqehP+dx5SH | |
Cj5pgdJ/wF9nnAaMM1yjn1LnBMfTge+ydx7QVx8fkKVpwA1DxfamfvfqRXxgtmgf | |
ZFncYDPCE4y3BsIqzcwrAt6i6XAM23n+zutewAbrdkMJ4CrH7h5qr2BJczyoU4zh | |
OSznnv79RCDwhZof68dAyFuQQ+ahagBQS3NzcsU5dxMePJW+qTdq0U40PTTsh/ge | |
bOfci3+O0Tx4wuIJk9fAaK5wgbnw0PcmpOLAEh0vAWPrUwXLqttmsPsWm+fnvsNm | |
2lzJAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wg | |
R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSc0nFQNfcQQ93oznUpo1Nd | |
EaeoOzAfBgNVHSMEGDAWgBQjbC09PildeLhsPqriuy4ebIfyUzANBgkqhkiG9w0B | |
AQUFAAOCAgEAw7CkgvVk5U6g5XRexD3QnPdO942viy6AWWO1bi8QW2bWKSrK4gEg | |
aOEr/9bh4fKm4Mz1j59ccrj6gXZ9XO5gKeXX3o9KnFU+5Sccdrw15xaAbzJ3/Veu | |
UYf7vsKhzHaaYQHJ/4YA/9GWzf8sD0ieroPY39R4HUw3h/VYXSbGyhbN+hYdb0Ku | |
V0qZRVKAXBx2Qqj48xWcGz42AeAJXtgZse2g7zvHCaeqX7YtwSCEmyyHGis13p6c | |
DNkMXs9RONbWgK6RFbXGIt9+F5/D67/91TtL6mYAcqC1t2WoWtmo8WfBQdh53cwv | |
eHqeXgqddw5ZUknSEJQc6/Q8BA48HBp1pugj1fBzFJCxcVoyV40012ph3HMa2h0f | |
Vqcu7w2k9fuUC/TPHdIQDwfNup14h+gEY2rlemsgvb0pwjlb/IaEdwvj+Cw3rK8b | |
7U+51gijrC8xB0r4js8R3ZIcyarHpbdipHduWCB4F8te721B67bCH3+h3vq7cZIg | |
3rFeNIRs7WzhQ4YT8D/XLcW6wN43jUi838dPs6al5cLb8e/bDCVp5liNunK9Xj/P | |
gTa2q+6oZ4/uu/5vyR+KH+/pyXpSQK2gPyNFemOVmD0SuOLzC4gQOARosPGni9Bh | |
1w8vzxdRIet2aS0Z6AHFM/1hzUZkh4lD6THQvoigooIMf59mQTqaWmo= | |
</data> | |
<key>PayloadDescription</key> | |
<string></string> | |
<key>PayloadDisplayName</key> | |
<string>JSS FileVault Recovery Key Redirection Certificate</string> | |
<key>PayloadEnabled</key> | |
<true/> | |
<key>PayloadIdentifier</key> | |
<string>com.apple.security.pkcs1.6D43BA68-7D93-4AF2-8C2A-704928872825</string> | |
<key>PayloadOrganization</key> | |
<string>Company Name</string> | |
<key>PayloadType</key> | |
<string>com.apple.security.pkcs1</string> | |
<key>PayloadUUID</key> | |
<string>6D43BA68-7D93-4AF2-8C2A-704928872825</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
</dict> | |
</array> | |
<key>PayloadDescription</key> | |
<string>This makes sure your FileVault recovery key is stored in the Company client management system.</string> | |
<key>PayloadDisplayName</key> | |
<string>Company FileVault Key Redirection</string> | |
<key>PayloadEnabled</key> | |
<true/> | |
<key>PayloadIdentifier</key> | |
<string>com.company.fv2keyredirection</string> | |
<key>PayloadOrganization</key> | |
<string>Company Name</string> | |
<key>PayloadRemovalDisallowed</key> | |
<true/> | |
<key>PayloadScope</key> | |
<string>System</string> | |
<key>PayloadType</key> | |
<string>Configuration</string> | |
<key>PayloadUUID</key> | |
<string>64A8726A-4FC3-4826-A2F4-7A466CABFB38</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
</dict> | |
</plist> |
Once the profile has been edited and all settings have been verified:
- Upload the profile to your MDM server
- Deploy the profile to a test Mac
- Rotate the FileVault personal recovery key on the test Mac to verify that redirection is working as desired.
To make sure that the MDM server does not try to alter the edited FileVault recovery key redirection profile, I recommend signing the profile.
Signing the profile encrypts it, which prevents the MDM from changing the profile’s contents. The MDM server can now serve out the redirection profile, but will not be able to edit it or change it in any way.
Have you tested with 10.13 and HFS disks? I have only 10.13 mac’s with APFS disks, and I am wondering which profile to scope to 10.13 Macs with HFS disks: ‘Enable Escrow Personal Recovery Key’ or ‘FileVault Recovery Key Redirection’
Yes, I’ve tested this with macOS 10.13.2 running on an HFS+ boot drive. The “FileVault Recovery Key Redirection” profile payload no longer works. Use the “Enable Escrow Personal Recovery Key” profile option.
Thanks ! that saves me to search for a Mac with HD and test it. I wanted to confirm that the method to ‘grab’ the recovery key is depending on macOS version, and not on drive format (CoreStorage/APFS).
When I try to reproduce this, Jamf Pro won’t let me save the uploaded mobileconfig file, implying that it is incomplete or has an illegal key entry. Perhaps it would be useful if you specified which payloads you *removed* from that downloaded from Jamf Pro, and what changes you made to the remaining payloads.
Also, I notice that you are not using this profile to enforce FileVault, just to escrow the key. Are you using a separate profile for enforcement, or another method?
My shop is using a separate profile for enforcement. For which payloads were removed, I would encourage you to download a copy of the profile from your own Jamf Pro server and run a diff tool against the sample profile I include in the post. The differences between the two profiles should stand out.
seeing an issue with 10.13.3 devices even after receiving the FV profile. End users are not being prompted to enter password. Have you seen this in your environment. Only applies to newly dep enrolled devices.
In the case of the JSS, be sure to either delete the existing Test profile you created, or rename your policy to something else. The new .mobileconfig will not upload properly if the existing payload is still present.
What am I doing wrong? When I download the config profile from the JSS… Its totally locked out and I can’t make any changes as its already been signed by the JSS. Apple Configurator doesnt allow any edits at all!
I had this happen too when I tried to open it in Apple Configurator. And I couldn’t open it in Xcode or another editor to edit, it complained about “The UTF-8 file āFV2Profile.mobileconfigā is damaged or incorrectly formed; please proceed with caution.”
I was referenced in the MacAdmins Slack to this article ; https://macmule.com/2015/11/16/making-downloaded-jss-configuration-profiles-readable/
I’ve followed the steps above to the best of my ability. However, when I upload my profile to the JSS, it appears that the settings under the General tab in Security & Privacy payload have not been modified (I need them excluded). Any advice?
This doesn’t appear to work anymore. I created a config in Jamf, downloaded, modified accordingly and uploaded (deleting the original first) but when I went to save Security & Privacy had 2 errors. I tried to resolve them but it just wouldn’t let me set “PERSONAL RECOVERY KEY ENCRYPTION METHOD” to Automatic. The “ESCROW LOCATION DESCRIPTION” and “RECORD NUMBER MESSAGE” fields both had “null” in them. Any ideas?