Home > FileVault 2, Jamf Pro, Management Profiles > FileVault recovery key redirection profile changes in macOS High Sierra

FileVault recovery key redirection profile changes in macOS High Sierra

For macOS Sierra and earlier, Apple had a dedicated FileVault Recovery Key Redirection profile payload for FileVault recovery key redirection. This profile was designed to work with a mobile device management (MDM) server, to allow the MDM server to act as a recovery key escrow service and store FileVault personal recovery keys.

Screen Shot 2018 01 15 at 12 40 23 PM

Note: Jamf Pro will be used as the example MDM server in this post. However, similar functionality is available in other MDM services.

On macOS High Sierra, this FileVault Recovery Key Redirection profile payload no longer works. In its place, Apple has added new Enable Escrow Personal Recovery Key settings to the FileVault section of the existing Security profile payload.

Screen Shot 2018 01 15 at 12 44 56 PM

Adding the recovery key redirection to the Security payload may cause issues in some environments, as the Security profile payload has other settings which those environments may prefer to manage separately, or not manage at all.

For those who prefer to manage FileVault recovery key redirection separately from the other settings managed by the Security payload, it is possible to create a profile (with some manual editing) which only manages FileVault recovery key redirection. For more details, see below the jump.

The first thing to do is to create a new profile (which should not be assigned to any Macs) and configure the Security profile payload with the desired recovery settings on your MDM server.

Screen Shot 2018 01 15 at 12 44 57 PM

Once the profile is configured as desired, download a copy of the profile to your workstation. After downloading, the profile can be edited to include only those settings which manage the FileVault recovery key redirection. To help with figuring out the appropriate settings, I have a sample profile available below.

Note: As currently set up, the sample profile doesn’t redirect recovery keys. It needs the relevant payload content (specifically the FileVault2Comm.cer certificate payload) from the Security profile created by your own MDM server:

Once the profile has been edited and all settings have been verified:

  1. Upload the profile to your MDM server
  2. Deploy the profile to a test Mac
  3. Rotate the FileVault personal recovery key on the test Mac to verify that redirection is working as desired.

Screen Shot 2018 01 15 at 1 15 58 PM

Screen Shot 2018 01 15 at 1 18 26 PM

To make sure that the MDM server does not try to alter the edited FileVault recovery key redirection profile, I recommend signing the profile.

Screen Shot 2018 01 15 at 1 15 59 PM

Signing the profile encrypts it, which prevents the MDM from changing the profile’s contents. The MDM server can now serve out the redirection profile, but will not be able to edit it or change it in any way.

  1. Maurits
    January 16, 2018 at 9:04 am

    Have you tested with 10.13 and HFS disks? I have only 10.13 mac’s with APFS disks, and I am wondering which profile to scope to 10.13 Macs with HFS disks: ‘Enable Escrow Personal Recovery Key’ or ‘FileVault Recovery Key Redirection’

    • January 16, 2018 at 8:33 pm

      Yes, I’ve tested this with macOS 10.13.2 running on an HFS+ boot drive. The “FileVault Recovery Key Redirection” profile payload no longer works. Use the “Enable Escrow Personal Recovery Key” profile option.

  2. Maurits
    January 18, 2018 at 8:44 am

    Thanks ! that saves me to search for a Mac with HD and test it. I wanted to confirm that the method to ‘grab’ the recovery key is depending on macOS version, and not on drive format (CoreStorage/APFS).

  3. Graham
    January 26, 2018 at 4:25 pm

    When I try to reproduce this, Jamf Pro won’t let me save the uploaded mobileconfig file, implying that it is incomplete or has an illegal key entry. Perhaps it would be useful if you specified which payloads you *removed* from that downloaded from Jamf Pro, and what changes you made to the remaining payloads.

    Also, I notice that you are not using this profile to enforce FileVault, just to escrow the key. Are you using a separate profile for enforcement, or another method?

    • January 26, 2018 at 5:59 pm

      My shop is using a separate profile for enforcement. For which payloads were removed, I would encourage you to download a copy of the profile from your own Jamf Pro server and run a diff tool against the sample profile I include in the post. The differences between the two profiles should stand out.

  4. January 28, 2018 at 9:14 am

    seeing an issue with 10.13.3 devices even after receiving the FV profile. End users are not being prompted to enter password. Have you seen this in your environment. Only applies to newly dep enrolled devices.

  5. smosher
    February 22, 2018 at 12:17 am

    In the case of the JSS, be sure to either delete the existing Test profile you created, or rename your policy to something else. The new .mobileconfig will not upload properly if the existing payload is still present.

  6. Blake
    March 16, 2018 at 7:51 am

    What am I doing wrong? When I download the config profile from the JSS… Its totally locked out and I can’t make any changes as its already been signed by the JSS. Apple Configurator doesnt allow any edits at all!

    • lashomb
      May 31, 2018 at 8:52 pm

      I had this happen too when I tried to open it in Apple Configurator. And I couldn’t open it in Xcode or another editor to edit, it complained about “The UTF-8 file “FV2Profile.mobileconfig” is damaged or incorrectly formed; please proceed with caution.”

    • Will
      June 14, 2018 at 6:43 pm

      I was referenced in the MacAdmins Slack to this article ; https://macmule.com/2015/11/16/making-downloaded-jss-configuration-profiles-readable/

  7. Will
    June 14, 2018 at 6:45 pm

    I’ve followed the steps above to the best of my ability. However, when I upload my profile to the JSS, it appears that the settings under the General tab in Security & Privacy payload have not been modified (I need them excluded). Any advice?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: