{"id":2933,"date":"2018-12-05T10:16:01","date_gmt":"2018-12-05T10:16:01","guid":{"rendered":"http:\/\/blog.designed79.co.uk\/?p=2933"},"modified":"2018-12-05T10:16:01","modified_gmt":"2018-12-05T10:16:01","slug":"deploying-filevault-with-a-configuration-profile","status":"publish","type":"post","link":"https:\/\/blog.designed79.co.uk\/?p=2933","title":{"rendered":"Deploying FileVault with a Configuration Profile"},"content":{"rendered":"
\n
\n

This article will discuss deploying FileVault 2 via a Configuration Profile to managed Macs with Jamf Pro using either an Individual Recovery Key, an Institutional Recovery Key, or both together.<\/p>\n

Creating an Institutional Recovery Key<\/strong><\/h2>\n

Skip this section if you do not plan to deploy an Institutional Recovery Key.<\/p>\n

Jamf has excellent documentation<\/a> on how the Institutional Recovery Key is created. In order to wind up with a key we can upload to Jamf Pro, use the directions in the section titled \u201cCreating and Exporting an Institutional Recovery Key without<\/strong> the Private Key\u201d to wind up with a .cer file.<\/p>\n

Creating the Configuration Profile<\/strong><\/h2>\n

Begin by creating a new Configuration Profile, name it whatever you\u2019d like, and we can leave this as a Computer-Level profile.<\/p>\n

If Using an Institutional Recovery Key:<\/strong><\/h3>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\"Cert.png\"<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
    \n
  1. Configure<\/strong> the Certificates<\/strong> payload<\/li>\n
  2. Name<\/strong> this certificate \u201cInstitutional Recovery Key\u201d or something else that makes sense<\/li>\n
  3. Change \u201cSelect Certificate Option\u201d to Upload<\/strong><\/li>\n
  4. Choose the .cer file created in the previous section<\/li>\n
  5. The Certificates payload should now look like the screenshot to the right<\/li>\n
  6. Save<\/strong> the entire Configuration Profile before moving on – Edit<\/strong> it again to proceed<\/li>\n<\/ol>\n
    \n
    \n

    Configuring FileVault Settings<\/strong><\/h3>\n

    The FileVault settings are inside of the Security & Privacy payload. With this payload, however, comes General (including Gatekeeper), Firewall, and Privacy. Make sure there\u2019s not already an existing Security & Privacy payload scoped to the same machines that is managing those settings as we don\u2019t want duplicate payloads.<\/p>\n

      \n
    1. Check<\/strong> the box to \u201cRequire FileVault 2\u201d<\/strong>\n
        \n
      • If using an Institutional Recovery Key, check<\/strong> the box to \u201cUse institutional recovery key<\/strong>\u201d\n
          \n
        • Change<\/strong> the \u201cCertificate<\/strong>\u201d dropdown menu to reflect the Certificate Name<\/strong> we configured previously<\/li>\n<\/ul>\n<\/li>\n
        • If using an Individual Recovery Key, check<\/strong> the box to \u201cCreate individual recovery key<\/strong>\u201d<\/li>\n<\/ul>\n<\/li>\n
        • Optionally check<\/strong> the box to \u201cRequire user to unlock FileVault 2 after hibernation<\/strong>\u201d<\/li>\n<\/ol>\n

          Enabling Escrow of the Personal Recovery Key<\/strong><\/h2>\n

          If this Profile will be used to encrypt machines running macOS 10.13 or later<\/strong>, and we want to store the Individual Recovery Key (referred to in this setting as a \u201cPersonal Recovery Key\u201d) in Jamf Pro, then we need to check<\/strong> the box to \u201cEnable Escrow Personal Recovery Key<\/strong>\u201d<\/p>\n

            \n
          1. The Escrow Location Description <\/strong>message must be configured, and it can be as simple as something like \u201cYour Recovery Key Will be Sent to IT for Safe-Keeping.\u201d<\/li>\n
          2. \u201cRecord Number\u201d Message<\/strong> is optional, but something like \u201cPlease Give IT This Number\u201d would make sense here.<\/li>\n
          3. Leave Personal Recovery Key Encryption Method<\/strong> as \u201cAutomatically encrypt and decrypt recovery key<\/strong>\u201d<\/li>\n<\/ol>\n

            The FileVault tab should now look like this if we’re deploying both an Institutional and Individual Recovery Key:<\/p>\n<\/div>\n<\/div>\n

            \n
            \n
            \n
            \n
            \"FV.png\"<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
            \n
            \n

            Redirecting Individual Recovery Keys to macOS 10.12 and Earlier<\/strong><\/h2>\n

            The setting to Enable Escrow Personal Recovery Key<\/strong> is only applicable for macOS 10.13 and later. In order to redirect the Individual Recovery Key to Jamf Pro for macOS 10.12 or earlier, we need to use a completely separate payload. It is absolutely acceptable to put both payloads in the same profile – the operating system will just ignore the profile that it doesn\u2019t need.<\/em><\/strong><\/p>\n

              \n
            1. Configure<\/strong> the FileVault Recovery Key Redirection<\/strong> payload<\/li>\n
            2. Change<\/strong> the Recovery Key Redirection<\/strong> dropdown to \u201cAutomatically redirect recovery keys to the Jamf Pro server<\/strong>\u201d<\/li>\n<\/ol>\n

              A Final Note on the Certificates Payload<\/strong><\/h2>\n

              Depending on which settings we enabled for escrowing or redirecting the Individual Recovery Key, we may see additional entries in the Certificates payload. This is normal, and required.<\/em><\/strong><\/p>\n

                \n
              • If we enabled escrow in the Security & Privacy<\/strong> payload, there should be a certificate titled \u201cJSS FileVault Recovery Key Escrow Certificate<\/strong>.\u201d<\/li>\n
              • If we enabled redirection with the FileVault Recovery Key Redirection<\/strong> payload, there should be a certificate titled \u201cJSS FileVault Recovery Key Redirection Certificate<\/strong>\u201d<\/li>\n<\/ul>\n

                That\u2019s it! We\u2019re ready to scope the Configuration Profile<\/strong> out to our managed Macs and kick off the encryption process! Once the Individual Recovery Key is sent back to Jamf Pro (if configured) we can see it in an individual Computer Inventory Record<\/strong> under the Management<\/strong> tab, and then under the FileVault 2<\/strong>subheading.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

                This article will discuss deploying FileVault 2 via a Configuration Profile to managed Macs with Jamf Pro using either an Individual Recovery […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2933","post","type-post","status-publish","format-standard","hentry","category-info-on-tech"],"_links":{"self":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/2933","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2933"}],"version-history":[{"count":0,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/2933\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}