jamf Disk Encryption Recovery Key Status: Not Present / No encryption key 磁盘加密恢复密钥状态:不存在/无加密密钥 有大用 有大大用 有大大大用
星期一, 2024-03-18 14:10 — adminshiping1
Disk Encryption Recovery Key Status: Not Present / No encryption key
磁盘加密恢复密钥状态:不存在/无加密密钥
Hi everyone!大家好
Recently we faced with a problem - one of the user after enrolment in the Disk Encryption tab don't see Recovery Key, it says Disk Encryption Recovery Key Status: Not Present最近,我们遇到了一个问题--其中一位用户在磁盘加密选项卡中注册后,没有看到恢复密钥,而是显示 "磁盘加密恢复密钥状态":不存在
Rest of the user normally encrypting and receive recovery keys for restore.其余用户正常加密并接收恢复密钥进行恢复。
now we have problem - user laptop asked for reboot after some actions and macbook asked for the key. but in the profile its empty, but status is encrypted. Pls kindly assist! How its possible with jamf to decrypt this mac and hard drive?? is there any way? 现在我们遇到了问题--用户的笔记本电脑在执行某些操作后要求重启,而 Macbook 则要求提供密钥。请提供帮助!有什么办法能用 jamf 解密这台 Mac 和硬盘吗?
Posted on 08-25-202206:18 PM发布于 08-25-202206:18 PM
Hi. thank you for the solution. 谢谢你的解决方案。
You say that was able to sign in into devise - how you could able if mac ask for the key in the beginning of the boot你说可以登录到设备上 - 如果 Mac 在启动之初就要求你提供密钥,你怎么能登录到设备上呢?
Th钍
Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.大家好!我是上面提到的 jss-filevault-reissue 工作流程的维护者,我有一个大家可能感兴趣的快速更新。
My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.我的团队发布了一款名为 Escrow Buddy 的新工具,它可以在登录窗口重新生成 FileVault 密钥,从而避免了稍后提示用户输入密码的需要。在大多数组织中,它应该可以替代我之前的 jss 文件保险箱重新发行工作流程。
You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.您可以在 Netflix 技术博客的公告中了解更多信息,我网站上的这篇文章专门介绍了从旧工作流程迁移到 Escrow Buddy 的过程。Escrow Buddy 的源代码和安装程序可在 GitHub 上获取。
Thanks!谢谢!
Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.大家好!我是上面提到的 jss-filevault-reissue 工作流程的维护者,我有一个大家可能感兴趣的快速更新。
My team has published a new tool calledEscrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.我的团队发布了一款名为 "Escrow Buddy "的新工具,它可以在登录窗口重新生成 FileVault 密钥,从而避免稍后提示用户输入密码。在大多数组织中,它应该可以替代我之前的 jss 文件保险箱重新发行工作流程。
You can read more inthis announcementon the Netflix Tech Blog, andthis poston my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available onGitHub.您可以在 Netflix 技术博客上阅读更多相关信息,我网站上的这篇文章专门介绍了从旧工作流程迁移到 Escrow Buddy 的过程。Escrow Buddy 的源代码和安装程序可在 GitHub 上获取。
Reissuing FileVault keys with the Casper Suite使用 Casper 套件重新签发 FileVault 密钥
Presented by Elliot Jordan, Senior Consultant, Linde Group林德集团高级顾问 Elliot Jordan 主讲 MacBrained - January 27, 2015 - San Francisco, CAMacBrained - 2015 年 1 月 27 日 - 加利福尼亚州旧金山
Deprecation Notice 停用通知
Escrow Buddy is a tool for reissuing and escrowing FileVault keys is available which does NOT require prompting users for their passwords. As such, I don't plan to make any further updates to the workflow below. Please consider switching to Escrow Buddy. Read more below:Escrow Buddy 是一款用于重新签发和托管 FileVault 密钥的工具,无需提示用户密码。因此,我不打算进一步更新下面的工作流程。请考虑改用 Escrow Buddy。请阅读下文:
The reissue_filevault_recovery_key.sh script runs on each affected Mac.在每台受影响的 Mac 上运行 reissue_filevault_recovery_key.sh 脚本。
Start by customizing the
reissue_filevault_recovery_key.sh
script as needed for your environment.
Email
affected employees to give them a heads up.给受影响的员工发送电子邮件,提醒他们注意。
Use
jamfHelper
to announce the upcoming password prompt.使用 jamfHelper 公布即将到来的密码提示。
Add
logo
to AppleScript password prompt.为 AppleScript 密码提示添加徽标。
Fail silently
if logo files aren’t present, or any other problems detected.如果没有徽标文件或检测到任何其他问题,则无声失败。
Verify
the Mac login password, with 5 chances to enter correct password.验证 Mac 登录密码,有 5 次输入正确密码的机会。
Here is the section of the script you'll want to customize:以下是您需要自定义的脚本部分:
Step Four: Policy第四步:政策政策
A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.名为 "重新发布无效或丢失的 FileVault 恢复密钥 "的策略会在智能组中的每台 Mac 上运行脚本。
Don’t forget to monitor policy logs and test FileVault recovery to verify success.不要忘记监控策略日志和测试 FileVault 恢复,以验证是否成功。
Monitor logs and flush one-off errors. (Unable to connect to distribution point, no user logged in, etc.)监控日志并清除一次性错误。(无法连接到分发点、无用户登录等)。
Identify and resolve remaining problems manually.手动查找并解决遗留问题。
Test a few newly-generated FileVault keys to ensure they are working as expected.测试几个新生成的 FileVault 密钥,确保它们能按预期运行。
Update your internal documentation.更新内部文件。
Compatibility兼容性
High Sierra (10.13) and Mojave (10.14)High Sierra(10.13)和 Mojave(10.14)
This script appears to work with macOS High Sierra and Mojave, but there are a few known issues:此脚本似乎能在 macOS High Sierra 和 Mojave 上运行,但存在一些已知问题:
On specific versions of High Sierra, entering an incorrect password during the key rotation process can result in invalidation of the existing FileVault key.
Since the existing FileVault key is not valid in the first place (presumably) this isn't the end of the world. But it means that if the key was stored separately, e.g. in a spreadsheet somewhere, it will no longer work.由于现有 FileVault 密钥本来就无效(大概),这并不是世界末日。但这意味着,如果密钥是单独存储的,例如存储在某个电子表格中,那么它将不再有效。
We attempt to mitigate this by validating the provided password with
dscl
prior to using it for rotation of the FileVault key. However, there is no guarantee that your local account password and your FileVault password are the same.在使用所提供的密码轮换 FileVault 密钥之前,我们会使用 dscl 验证密码,以减少这种情况的发生。但是,我们不能保证您的本地账户密码和 FileVault 密码相同。
Previous versions of macOS generated log output that confirmed the successful escrow of the newly generated FileVault key. High Sierra and Mojave do not. Instead, a local file containing the new key is written, which MDM is meant to retrieve. We attempt to determine escrow success by detecting a change in that file, but it's not a guarantee of success.以前版本的 macOS 会生成日志输出,确认新生成的 FileVault 密钥已成功托管。High Sierra 和 Mojave 则不会。取而代之的是写入一个包含新密钥的本地文件,MDM 将检索该文件。我们试图通过检测该文件中的变化来确定托管是否成功,但这并不能保证成功。
If you find additional issues with High Sierra or Mojave, I'd appreciate you
on this repo.如果您在 High Sierra 或 Mojave 中发现其他问题,请在此软件仓库中开启一个问题,我将不胜感激。
Catalina (10.15)卡塔利娜(10.15)
This script should work on macOS Catalina, but please open an issue if you notice any Catalina-specific bugs.此脚本应能在 macOS Catalina 上运行,但如果发现任何 Catalina 特有的错误,请提出问题。
Escrow Buddy is a macOS authorization plugin that allows MDM administrators to generate and escrow new FileVault personal recovery keys on Macs that lack a valid escrowed key in MDM.Escrow Buddy 是一个 macOS 授权插件,允许 MDM 管理员在 MDM 中缺乏有效托管密钥的 Mac 上生成和托管新的 FileVault 个人恢复密钥。
For more context around the problem of missing FileVault keys in MDM and Escrow Buddy's origin, see this post on the Netflix Tech Blog.有关 MDM 中 FileVault 密钥丢失问题的更多信息以及 Escrow Buddy 的起源,请参阅 Netflix 技术博客上的这篇文章。
If you've successfully deployed Escrow Buddy, we'd love to know the details in this brief survey. Thank you!如果您已经成功部署了 Escrow Buddy,我们很乐意在这个简短的调查中了解详情。谢谢!
Requirements要求
Your managed Macs must:
be enrolled in an MDM加入 MDM
have macOS Mojave 10.14.4 or newerMacOS Mojave 10.14.4 或更新版本
Your MDM must:
support FileVault recovery key escrow支持 FileVault 恢复密钥托管
have the ability to install packages and run shell scripts具备安装软件包和运行 shell 脚本的能力
NOTE: Escrow Buddy only works with MDM-based escrow solutions, not escrow servers like Crypt Server or Cauliflower Vest.注意:Escrow Buddy 仅适用于基于 MDM 的托管解决方案,不适用于 Crypt Server 或 Cauliflower Vest 等托管服务器。
Deployment部署
Ensure you have an escrow profile scoped to all Macs with the FDERecoveryKeyEscrow payload.确保托管配置文件的作用域为所有 Mac,并带有 FDERecoveryKeyEscrow 有效载荷。
This will ensure that any newly generated FileVault recovery key, no matter how it's generated, will be escrowed to your MDM server.这将确保任何新生成的 FileVault 恢复密钥,无论其如何生成,都将托管到您的 MDM 服务器。
You can choose to install on all Macs or limit to those that need FileVault recovery keys escrowed.你可以选择在所有 Mac 上安装,也可以只在需要托管 FileVault 恢复密钥的 Mac 上安装。
Use your MDM to run this command (in root context) on Macs that do not have a valid FileVault recovery key escrowed:在未托管有效 FileVault 恢复密钥的 Mac 上,使用 MDM(在 root 上下文中)运行此命令:
It is recommended to have this script run dynamically on Macs that need it using your MDM's dynamic scoping feature. See the Examples page for examples.建议使用 MDM 的动态范围功能在需要的 Mac 上动态运行此脚本。有关示例,请参阅示例页面。
That's it! The next time a FileVault-authorized user logs in to the Mac, a new FileVault personal recovery key will be generated and escrowed to your MDM.就是这样!下一次 FileVault 授权用户登录 Mac 时,将生成一个新的 FileVault 个人恢复密钥并托管给您的 MDM。
If you've read those pages and are still having problems, please search our issues (both open and closed) to see whether your issue has already been addressed there. If not, you can open an issue.如果您已经阅读了这些页面,但仍有问题,请搜索我们的问题(开放和关闭),看看您的问题是否已经在那里得到解决。如果没有,您可以打开一个问题。
For a faster and more focused response, be sure to provide the following in your issue:为了更快、更有针对性地回复,请务必在问题中提供以下信息:
for information on retrieving logs)日志输出(有关检索日志的信息,请参阅维基百科)
macOS version you're deploying to您要部署到的 macOS 版本
MDM (name and version) you're using您正在使用的 MDM(名称和版本
What troubleshooting steps you've already taken您已经采取了哪些故障排除步骤
Contribution捐款
Contributions are welcome! To contribute, create a fork of this repository, commit and push changes to a branch of your fork, and then submit a pull request. Your changes will be reviewed by a project maintainer.欢迎贡献!要做出贡献,请为此版本库创建一个 fork,提交并推送更改到您的 fork 分支,然后提交拉取请求。您的更改将由项目维护者审核。
Contributions don't have to be code; we appreciate any help maintaining our wiki or answering issues.您的贡献不一定是代码;我们感谢您对维护维基或回答问题的任何帮助。
Also, if you've successfully deployed Escrow Buddy at your organization, please consider submitting our brief survey for measuring the project's community impact.此外,如果您已在贵机构成功部署 Escrow Buddy,请考虑提交我们的简短调查,以衡量该项目的社区影响。
Credits荣誉
Escrow Buddy was created by the Netflix Client Systems Engineering team.Escrow Buddy 由 Netflix 客户系统工程团队创建。
The Crypt project was a major inspiration in the creation of this tool — huge thanks to Graham, Wes, and the Crypt team! Jeremy Baker and Tom Burgin's 2015 PSU MacAdmins session on authorization plugins was also a valuable resource.Crypt 项目是创建此工具的主要灵感来源--非常感谢 Graham、Wes 和 Crypt 团队!杰里米-贝克(Jeremy Baker)和汤姆-伯金(Tom Burgin)在 2015 年 PSU MacAdmins 会议上关于授权插件的发言也是宝贵的资源。
