Escrowing new FileVault keys to MDM without password prompts
Jun 12, 2023
3 minute read

In early 2015, I presented a solution I developed for Pinterest for reissuing and escrowing missing FileVault keys in Jamf. The solution centered around an AppleScript-driven password prompt that provided input to the fdesetup tool. Combined with an escrow profile (or its predecessor the redirection profile), this would generate a new FileVault recovery key and store it with Jamf. In the years since, I’ve happily maintained this workflow and incrementally improved it, and a number of organizations are still using it successfully with recent versions of macOS.

However, the idea of prompting the user for their password always mildly irritated me for two main reasons. First and most importantly, unnecessary user-facing prompts contribute to “consent fatigue” that can lead to security incidents like the one that Uber experienced in 2022 and can give adware/malware an opportunity to contaminate an organization’s systems. Second, implementing this workflow well required a tremendous amount of time and energy on the part of IT and security teams: emails announcing the campaign to affected users, maintaining and documenting the script and supporting policies, fielding support requests generated by confused or suspicious users, and following up with any stragglers who ignore or dismiss the prompt.

When the time came to solve the problem of missing FileVault recovery keys for Netflix, I actively sought alternatives to this password prompt workflow that would address those challenges. A colleague helpfully pointed me towards Crypt, which leverages a mechanism I hadn’t previously paid much attention to: authorization plugins. Since authorization plugins have access to the credentials of the user logging in, it’s possible to use these credentials with the fdesetup tool during the login process itself and avoid additional prompts. Making this connection ultimately led our team to create and publish our own stripped-down authorization plugin called Escrow Buddy focused specifically on the goal of escrowing missing FileVault keys to MDM.

As a former proponent of the password prompt workflow, it’s time for me to officially recommend a better path. Stop prompting users for their password to escrow new FileVault keys to MDM. Consider switching to Escrow Buddy instead. By doing so, you’d be contributing to a healthier security culture in your organization and saving yourself and your security partners valuable time.

FileVault reissue password prompt

Making the switch

What’s involved in making the switch away from your existing password prompt FileVault reissue workflow? At minimum, simply stop deploying my reissue script, and start deploying and configuring Escrow Buddy instead. (Instructions for doing so are in the Escrow Buddy read me.)

This minimal approach relies entirely on the macOS login process as your FileVault key regeneration mechanism, with no additional user interaction at all. While this might feel different than the workflow you’re used to, my sincere advice is to think critically about what user interaction beyond the login window is truly beneficial and necessary. You might find the answer is none — especially if you employ other workflows that require occasional restarts such as enforcement of macOS updates/upgrades.

If you still feel you require user notifications, there are options for pairing notifications with Escrow Buddy, ranging from gentle to forceful. I may go into detail on some of those in a future post. However, simply deploying Escrow Buddy in place of the reissue script is probably the best bet for most organizations.

Further reading

You can read more about Escrow Buddy on the Netflix Tech Blog or on GitHub.