Recently, a thread on JAMF Nation brought up a question of how to enable FileVault 2 in a touchless deployment while still giving IT access to unlock the disk. This is a major part of my agile deployment methodology, so I thought it was time that I wrote up exactly how I deploy it.
I feel that a FileVault 2 implementation should meet the following requirements.
- FileVault 2 is enforced on all Macs.
- The end user’s account should be able to unlock the disk.
- IT’s account should be able to unlock the disk.
- The FileVault 2 recovery key should be stored securely.
- All of the above should happen without anyone in IT having to touch the machine.
My Macs are managed by Casper through a mix of Apple’s Device Enrollment Program and User Initiated Enrollment. In either case, the end user is responsible for unboxing the Mac and going through setup assistant, creating their user account along the way. The end user is an admin on the Mac, and I don’t care what they name their local account.
Selecting recovery keys
FileVault 2 has two options for recovery keys: personal (referred to in the JSS as individual) and institutional. I prefer personal keys for the following reasons.
- An institutional key is a single key that can be used to unlock every Mac in your organization. If this key is compromised, the entire deployment is vulnerable. Personal keys ensure that a unique key is used for every Mac, so if one key is compromised only one Mac is vulnerable.
- If a user forgets their password, the personal key can be given to them to reset their password. Because this key is unique to their machine, this key can be safely given to the user without giving them keys to unlock every other Mac in the organization.
- Personal keys can be easily and automatically changed, while institutional keys can not. This means that a key can (and should) be changed if used to unlock a Mac. This change could even happen on a schedule, for example once per week.
- Having an personal key stored in the JSS will allow the JSS to have greater control over FileVault 2 than it would if an institutional key were used.
Working with FileVault 2
In order to make changes such as enabling a user account for FileVault 2, you need at least one of two things.
- A password for an account that has been enabled for FileVault 2.
- The FileVault 2 personal recovery key (an institutional key will not work for this purpose).
If you have one of the two, you can generate the other. If you don’t have either of the two, you will not be able to make changes to FileVault 2.
Because the end user’s account will be the first account enabled for FileVault 2 and we don’t know the user’s password, we must rely on getting the FileVault 2 recovery key in order to enable the local IT account.
Creating the IT account
While some seem to prefer to keep Casper’s management account and their local IT account separate, I prefer to combine them into one account for the following reasons.
- Having more accounts on a machine creates more possible entry points for unauthorized access.
- Casper has some special built-in functionality to manage aspects of the management account that don’t exist for other local accounts.
- The Casper management account can be used to manage FileVault 2 when the account is enabled for FileVault 2.
For those reasons, I feel it is not only appropriate to use Casper’s management account as the local IT account, but a best practice as well.
The local IT account is created when the Mac is enrolled into Casper. The password to this account is known only to the IT team, and is stored in a secured vault. I also prefer to hide the management account, although it is not required for this workflow.
Note: Hiding the management account will place the home directory in a hidden location and the account won’t be visible in the Users & Groups pane in System Preferences, however once the account is enabled for FileVault 2 it will always be visible on the FileVault 2 pre-boot login screen.
Enforcing FileVault 2 on all Macs
I use a Configuration Profile to make sure FileVault 2 is required and that recovery keys are redirected to the JSS. This is accomplished with 2 payloads: Security & Privacy, and FileVault Recovery Key Redirection.
In the Security & Privacy payload under the FileVault tab, Require FileVault 2 and Create individual recovery key are both enabled.
In the FileVault Recovery Key Redirection payload, I’ve set it to automatically redirect recovery keys to the JSS. Since the user’s account will be the account enabled for FileVault 2, we must have this recovery key stored in the JSS to do any manipulation of FileVault 2.
This Configuration Profile is applied during enrollment. Also during enrollment, I run a short script to configure the Mac. Most of the script has nothing to do with this workflow, however the last thing the script does is force a logout using the following command.
kill -9 `pgrep loginwindow`
This is key, because the next time the user attempts to log in, the Configuration Profile will require FileVault 2 to be enabled.
If the user clicks cancel, they won’t be able to log in. Essentially this makes the computer unusable until FileVault 2 is enabled.
Enabling the local IT account for FileVault 2
Once the Mac reboots, it is in a state where FileVault 2 is enabled, the disk is in the process of encrypting, the user’s account is enabled for FileVault 2, and the individual recovery key is stored in the JSS. Now we just have to wait for the disk to finish encrypting before we can enable the local IT account.
In order to ensure that the local IT account is created as soon as possible, I run a persistent recon on any machine that isn’t encrypted. This is accomplished with a policy running on the Recurring Check-in trigger with an execution frequency of Ongoing.
The only payload in this policy is Maintenance, with Update Inventory checked.
This policy is scoped to a Smart Group looking for machines that aren’t encrypted.
This persistent recon will run every 15 minutes (unless the recurring check-in time has been changed from the default) until the Mac is encrypted. This ensures that the JSS will be able to enable the local IT account for FileVault 2 as soon as possible.
The policy to enable the local IT account for FileVault 2 is quite simple. I set the trigger to Recurring Check-in, and the execution frequency to Ongoing. I do it this way because the scope of the policy is set such that it only applies if a) the local IT account is not enabled and b) we meet all the requirements for enabling the local account. This ensures that if the local IT account ever becomes disabled for FileVault 2, it will be automatically re-enabled.
Here is what the scope of the policy looks like. Note the use of both Targets and Exclusions.
Now for the logic behind these Smart Groups.
First, the group that looks for Macs where the local IT account is not enabled for FileVault 2. This group is the scope’s target.
Next, the group that looks for Macs that don’t have a valid recovery key stored in the JSS. This group is in the scope’s exclusions. Remember that if we don’t have the password of a FileVault 2 enabled account or a valid recovery key, we can’t make changes to FileVault 2.
And finally, the group that makes sure that the partition is not currently encrypting, as I’ve found that trying to enable an account for FileVault 2 before the disk has finished encrypting yields inconsistent results. This group is also in the scope’s exclusions.
Due to the logic we’ve set up this policy is ready to strike, just waiting for the disk to finish encrypting.
At the end of this workflow, the following should be true.
- FileVault 2 is enforced on all Macs.
- The end user’s account is able to unlock the disk.
- IT’s account is able to unlock the disk.
- The FileVault 2 recovery key is stored securely.
- All of the above happened without anyone in IT having to touch the machine.
Are you using a different process to deploy FileVault 2? Tell me about it in the comments.
A special shoutout to Rich Trouton for providing a technical review of the FileVault 2 content in this post. If you’re looking for the most thorough documentation on FileVault 2, I suggest checking out his blog.