欢迎各位兄弟 发布技术文章

这里的技术是共享的

You are here

jamf Filevault 2 - 恢复密钥无效 有大用

Disk Encryption Recovery Key Status: Not Present / No encryption key磁盘加密恢复密钥状态:不存在/无加密密钥

temafey
 
New Contributor  新贡献者 

Hi everyone! 大家好 

Recently we faced with a problem - one of the user after enrolment in the  Disk Encryption tab don't see Recovery Key, it says Disk Encryption Recovery Key Status: Not Present最近,我们遇到了一个问题--其中一位用户在磁盘加密选项卡中注册后,没有看到恢复密钥,而是显示 "磁盘加密恢复密钥状态":不存在

Rest of the user normally encrypting and receive recovery keys for restore.其余用户正常加密并接收恢复密钥进行恢复。

now we have problem - user laptop asked for reboot after some actions and macbook asked for the key. but in the profile its empty, but status is encrypted. Pls kindly assist! How its possible with jamf to decrypt this mac and hard drive?? is there any way? 现在我们遇到了问题--用户的笔记本电脑在执行某些操作后要求重启,而 Macbook 则要求提供密钥。请提供帮助!有什么办法能用 jamf 解密这台 Mac 和硬盘吗?

Thank you in advance! Best regards!提前感谢您!致以最崇高的敬意

temafey_0-1661419692338.png

 

4 REPLIES  4 回复 4 

mojo21221
 
Contributor II  贡献者 II 

We had a scenario similar to yours a while back. Luckily we were still able to sign into the the device and use this tool. https://github.com/homebysix/jss-filevault-reissue不久前我们也遇到过类似的情况。幸运的是,我们仍然能够登录设备并使用该工具。https://github.com/homebysix/jss-filevault-reissue

 

Hi. thank you for the solution. 谢谢你的解决方案。

You say that was able to sign in into devise - how you could able if mac ask for the key in the beginning of the boot你说可以登录到设备上 - 如果 Mac 在启动之初就要求你提供密钥,你怎么能登录到设备上呢?

Th  

elliotjordan
 
Contributor III  贡献者 III 

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.大家好!我是上面提到的 jss-filevault-reissue 工作流程的维护者,我有一个大家可能感兴趣的快速更新。

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.我的团队发布了一款名为 Escrow Buddy 的新工具,它可以在登录窗口重新生成 FileVault 密钥,从而避免了稍后提示用户输入密码的需要。在大多数组织中,它应该可以替代我之前的 jss 文件保险箱重新发行工作流程。

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.您可以在 Netflix 技术博客的公告中了解更多信息,我网站上的这篇文章专门介绍了从旧工作流程迁移到 Escrow Buddy 的过程。Escrow Buddy 的源代码和安装程序可在 GitHub 上获取。

Thanks! 谢谢! 

elliotjordan
 
Contributor III  贡献者 III 

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.大家好!我是上面提到的 jss-filevault-reissue 工作流程的维护者,我有一个大家可能感兴趣的快速更新。

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.我的团队发布了一款名为 "Escrow Buddy "的新工具,它可以在登录窗口重新生成 FileVault 密钥,从而避免稍后提示用户输入密码。在大多数组织中,它应该可以替代我之前的 jss 文件保险箱重新发行工作流程。

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.您可以在 Netflix 技术博客上阅读更多相关信息,我网站上的这篇文章专门介绍了从旧工作流程迁移到 Escrow Buddy 的过程。Escrow Buddy 的源代码和安装程序可在 GitHub 上获取。

Thanks! 谢谢! 

来自  https://community.jamf.com/t5/jamf-pro/disk-encryption-recovery-key-status-not-present-no-encryption-key/td-p/272371



homebysix/jss-filevault-reissue

Reissuing FileVault keys with the Casper Suite使用 Casper Suite 重新颁发 FileVault 密钥

Presented by Elliot Jordan, Senior Consultant, Linde Group主讲人:Elliot Jordan,林德集团高级顾问
MacBrained - January 27, 2015 - San Francisco, CAMacBrained - 2015 年 1 月 27 日 - 加利福尼亚州旧金山

Deprecation Notice  弃用通知 

Escrow Buddy is a tool for reissuing and escrowing FileVault keys is available which does NOT require prompting users for their passwords. As such, I don't plan to make any further updates to the workflow below. Please consider switching to Escrow Buddy. Read more below:Escrow Buddy 是一种用于重新发行和托管 FileVault 密钥的工具,它不需要提示用户输入密码。因此,我不打算对下面的工作流程进行任何进一步的更新。请考虑切换到 Escrow Buddy。在下面阅读更多内容:


Table of Contents  目录 


The Problem 问题 

FileVault individual recovery keys can be missing from the JSS for many reasons.由于多种原因,JSS 中可能缺少 FileVault 各个恢复密钥。

  • Perhaps the Mac was encrypted prior to enrollment.也许 Mac 在注册之前已加密。
  • The Mac was encrypted prior to the FileVault redirection profile installation.Mac 在安装 FileVault 重定向描述文件之前已加密。
  • The original recovery key was lost for some reason (e.g. database corruption or a bug of some kind).原始恢复密钥由于某种原因(例如数据库损坏或某种错误)而丢失。

FileVault is encrypted   FileVault is "not configured"

The Solution 解决方案 

You can use a policy to generate a new FileVault key and upload to JSS.您可以使用策略生成新的 FileVault 密钥并上传到 JSS。

  1. A configuration profile ensures that all FileVault keys are escrowed with the JSS.配置文件可确保所有 FileVault 密钥都托管在 JSS 中。
  2. A smart group determines which computers lack valid individual recovery keys.智能组确定哪些计算机缺少有效的单个恢复密钥。
  3. Customize the 

    reissue_filevault_recovery_key.sh

     for your environment.为您的环境自定义reissue_filevault_recovery_key.sh。
  4. Create a policy that deploys the 

    reissue_filevault_recovery_key.sh

     script to the computers in the smart group.创建一个策略,将 reissue_filevault_recovery_key.sh 脚本部署到智能组中的计算机。

Notification

Password Prompt

Step One: Configuration Profile 步骤一:配置文件 

A configuration profile called “Redirect FileVault keys to JSS” does what the name says.名为“将 FileVault 密钥重定向到 JSS”的配置文件会顾名思义。

  • General   
    • Distribution Method: 

      Install Automatically

      分发方式:自动安装
    • Level: 

      Computer Level

       级别:计算机级别 
  • FileVault Recovery Key Redirection
    • Automatically redirect recovery keys to the JSS自动将恢复密钥重定向到 JSS

  • Scope   
    • All computers 所有计算机 

Step Two: Smart Group 第二步:智能组 

A smart group named “FileVault encryption key is invalid or unknown” selects the affected Macs.名为“FileVault 加密密钥无效或未知”的智能组选择受影响的 Mac。

And/Or 和/或 Criteria 标准 Operator 算子 Value 价值 

FileVault 2 Individual Key ValidationFileVault 2 单个密钥验证is not  Valid 有效 
and  Last Check-in 上次入住时间 less than x days ago不到 x 天前30
and  FileVault 2 Detailed Status* FileVault 2 详细状态* is  FileVault 2 Encryption Complete FileVault 2 加密完成 

*From Rich Trouton’s FileVault status extension attribute: http://goo.gl/zB04LT*来自 Rich Trouton 的 FileVault 状态扩展属性:http://goo.gl/zB04LT

Step Three: Script 第三步:脚本 

The reissue_filevault_recovery_key.sh script runs on each affected Mac.reissue_filevault_recovery_key.sh 脚本在每台受影响的 Mac 上运行。

  • Start by customizing the   

    reissue_filevault_recovery_key.sh

    script as needed for your environment.
    • Email

       affected employees to give them a heads up.向受影响的员工发送电子邮件以提醒他们。
    • Use 

      jamfHelper

       to announce the upcoming password prompt.使用 jamfHelper 宣布即将出现的密码提示。
    • Add 

      logo

       to AppleScript password prompt.将徽标添加到 AppleScript 密码提示中。
    • Fail silently

       if logo files aren’t present, or any other problems detected.如果徽标文件不存在或检测到任何其他问题,则会静默失败。
    • Verify

       the Mac login password, with 5 chances to enter correct password.验证Mac登录密码,有5次机会输入正确密码。

Here is the section of the script you'll want to customize:以下是您需要自定义的脚本部分:

Script screenshot

Step Four: Policy 第四步:政策 

A policy called “Reissue invalid or missing FileVault recovery key” runs the script on each Mac in the smart group.名为“重新发出无效或丢失的 FileVault 恢复密钥”的策略在智能组中的每台 Mac 上运行该脚本。

  • General   
    • Trigger: 

      Recurring Check-In

       触发因素:定期签到 
    • Execution Frequency: 

      Once per computer

      执行频率:每台计算机一次
  • Packages   
    • AppleScriptCustomIcon.dmg

       (loads /tmp/Pinterest.icns)AppleScriptCustomIcon.dmg(加载/tmp/Pinterest.icns)
  • Scripts   
    • reissue_filevault_recovery_key.sh

       (priority: 

      After

      )reissue_filevault_recovery_key.sh(优先级:之后)
  • Scope   
    • Smart Group: 

      FileVault encryption key is invalid or unknown

      智能组:FileVault 加密密钥无效或未知

Follow Through 跟进 

Don’t forget to monitor policy logs and test FileVault recovery to verify success.不要忘记监控策略日志并测试 FileVault 恢复以验证成功。

  • Monitor logs and flush one-off errors. (Unable to connect to distribution point, no user logged in, etc.)监视日志并清除一次性错误。 (无法连接到分发点、没有用户登录等)
  • Identify and resolve remaining problems manually.手动识别并解决剩余问题。
  • Test a few newly-generated FileVault keys to ensure they are working as expected.测试一些新生成的 FileVault 密钥以确保它们按预期工作。
  • Update your internal documentation.更新您的内部文档。

Compatibility 兼容性 

High Sierra (10.13) and Mojave (10.14)高山脉 (10.13) 和莫哈韦 (10.14)

This script appears to work with macOS High Sierra and Mojave, but there are a few known issues:该脚本似乎适用于 macOS High Sierra 和 Mojave,但存在一些已知问题:

  • On specific versions of High Sierra, entering an incorrect password during the key rotation process can result in invalidation of the existing FileVault key.
    • Since the existing FileVault key is not valid in the first place (presumably) this isn't the end of the world. But it means that if the key was stored separately, e.g. in a spreadsheet somewhere, it will no longer work.由于现有的 FileVault 密钥一开始就无效(大概),这并不是世界末日。但这意味着如果密钥是单独存储的,例如在某处的电子表格中,它将不再起作用。
    • We attempt to mitigate this by validating the provided password with 

      dscl

       prior to using it for rotation of the FileVault key. However, there is no guarantee that your local account password and your FileVault password are the same.我们尝试通过在使用所提供的密码进行 FileVault 密钥轮换之前使用 dscl 验证所提供的密码来缓解此问题。但是,不能保证您的本地帐户密码和 FileVault 密码相同。
  • Previous versions of macOS generated log output that confirmed the successful escrow of the newly generated FileVault key. High Sierra and Mojave do not. Instead, a local file containing the new key is written, which MDM is meant to retrieve. We attempt to determine escrow success by detecting a change in that file, but it's not a guarantee of success.以前版本的 macOS 生成的日志输出确认新生成的 FileVault 密钥已成功托管。高山脉和莫哈韦没有。相反,会写入包含新密钥的本地文件,MDM 会检索该文件。我们尝试通过检测该文件中的更改来确定托管是否成功,但这并不能保证成功。
  • If you find additional issues with High Sierra or Mojave, I'd appreciate you 

    opening an issue

     on this repo.如果您发现 High Sierra 或 Mojave 的其他问题,我将不胜感激您在此存储库上提出问题。

Catalina (10.15) 卡塔利娜 (10.15) 

This script should work on macOS Catalina, but please open an issue if you notice any Catalina-specific bugs.该脚本应该在 macOS Catalina 上运行,但如果您发现任何 Catalina 特定的错误,请提出问题。

Thank you! 谢谢你! 

来自  https://github.com/homebysix/jss-filevault-reissue?tab=readme-ov-file

https://community.jamf.com/t5/jamf-pro/missing-filevault-recovery-keys/m-p/190005

https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/

https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/




Escrow Buddy

Escrow Buddy is a macOS authorization plugin that allows MDM administrators to generate and escrow new FileVault personal recovery keys on Macs that lack a valid escrowed key in MDM.

For more context around the problem of missing FileVault keys in MDM and Escrow Buddy's origin, see this post on the Netflix Tech Blog.Escrow Buddy 是一个 macOS 授权插件,允许 MDM 管理员在 MDM 中缺少有效托管密钥的 Mac 上生成并托管新的 FileVault 个人恢复密钥。

If you've successfully deployed Escrow Buddy, we'd love to know the details in this brief survey. Thank you!有关 MDM 和 Escrow Buddy 来源中丢失 FileVault 密钥问题的更多背景信息,请参阅 Netflix 技术博客上的这篇文章。


Requirements 如果您已成功部署 Escrow Buddy,我们很乐意了解此简短调查的详细信息。谢谢你! 

  • Your managed Macs must:  要求 
    • be enrolled in an MDM
    • have macOS Mojave 10.14.4 or newer已注册 MDM
  • Your MDM must:  拥有 macOS Mojave 10.14.4 或更高版本 
    • support FileVault recovery key escrow支持FileVault恢复密钥托管
    • deploy a configuration profile with the 

      FDERecoveryKeyEscrow

       payload使用 FDERecoveryKeyEscrow 负载部署配置文件
    • have the ability to install packages and run shell scripts能够安装软件包并运行 shell 脚本

NOTE: Escrow Buddy only works with MDM-based escrow solutions, not escrow servers like Crypt Server or Cauliflower Vest.注意:Escrow Buddy 仅适用于基于 MDM 的托管解决方案,不适用于 Crypt Server 或 Cauliflower Vest 等托管服务器。


Deployment 部署 

  1. Ensure you have an escrow profile scoped to all Macs with the FDERecoveryKeyEscrow payload.确保您拥有适用于所有具有 FDERecoveryKeyEscrow 负载的 Mac 的托管配置文件。

    This will ensure that any newly generated FileVault recovery key, no matter how it's generated, will be escrowed to your MDM server.这将确保任何新生成的 FileVault 恢复密钥(无论其生成方式如何)都将托管到您的 MDM 服务器。

  2. Use your MDM to install the latest Escrow Buddy installer package on your Macs.使用 MDM 在 Mac 上安装最新的 Escrow Buddy 安装程序包。

    You can choose to install on all Macs or limit to those that need FileVault recovery keys escrowed.您可以选择在所有 Mac 上安装,或仅限于需要托管 FileVault 恢复密钥的 Mac。

  3. Use your MDM to run this command (in root context) on Macs that do not have a valid FileVault recovery key escrowed:使用 MDM 在没有托管有效 FileVault 恢复密钥的 Mac 上运行此命令(在根上下文中):

     defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
    

    It is recommended to have this script run dynamically on Macs that need it using your MDM's dynamic scoping feature. See the Examples page for examples.建议使用 MDM 的动态作用域功能在需要该脚本的 Mac 上动态运行此脚本。有关示例,请参阅示例页面。

That's it! The next time a FileVault-authorized user logs in to the Mac, a new FileVault personal recovery key will be generated and escrowed to your MDM.就是这样!下次 FileVault 授权的用户登录 Mac 时,将生成新的 FileVault 个人恢复密钥并托管到您的 MDM。


Support 支持 

See the wiki for Frequently Asked Questions and Troubleshooting resources.请参阅 wiki 以获取常见问题和故障排除资源。

If you've read those pages and are still having problems, please search our issues (both open and closed) to see whether your issue has already been addressed there. If not, you can open an issue.如果您已阅读这些页面但仍然遇到问题,请搜索我们的问题(开放的和已关闭的)以查看您的问题是否已在那里得到解决。如果没有,您可以提出问题。

For a faster and more focused response, be sure to provide the following in your issue:为了获得更快、更集中的响应,请务必在您的问题中提供以下内容:

  • Log output (see 

    wiki

     for information on retrieving logs)日志输出(有关检索日志的信息,请参阅 wiki)
  • macOS version you're deploying to您要部署到的 macOS 版本
  • MDM (name and version) you're using您正在使用的 MDM(名称和版本)
  • What troubleshooting steps you've already taken您已采取哪些故障排除步骤

Contribution 贡献 

Contributions are welcome! To contribute, create a fork of this repository, commit and push changes to a branch of your fork, and then submit a pull request. Your changes will be reviewed by a project maintainer.欢迎贡献!要做出贡献,请创建此存储库的分支,提交更改并将更改推送到分支的分支,然后提交拉取请求。您的更改将由项目维护人员审核。

Contributions don't have to be code; we appreciate any help maintaining our wiki or answering issues.贡献不一定是代码;我们感谢任何帮助维护我们的维基或回答问题的人。

Also, if you've successfully deployed Escrow Buddy at your organization, please consider submitting our brief survey for measuring the project's community impact.此外,如果您已在您的组织中成功部署了 Escrow Buddy,请考虑提交我们的简短调查以衡量该项目的社区影响。


Credits 制作人员 

Escrow Buddy was created by the Netflix Client Systems Engineering team.Escrow Buddy 由 Netflix 客户端系统工程团队创建。

The Crypt project was a major inspiration in the creation of this tool — huge thanks to Graham, Wes, and the Crypt team! Jeremy Baker and Tom Burgin's 2015 PSU MacAdmins session on authorization plugins was also a valuable resource.Crypt 项目是创建此工具的主要灵感 - 非常感谢 Graham、Wes 和 Crypt 团队! Jeremy Baker 和 Tom Burgin 的 2015 年 PSU MacAdmins 关于授权插件的会议也是一个宝贵的资源。

Escrow Buddy is licensed under the Apache License, version 2.0.Escrow Buddy 根据 Apache 许可证 2.0 版获得许可。

来自  https://github.com/macadmins/escrow-buddy
















Filevault 2 - Invalid Recovery Keys

Filevault 2 - 恢复密钥无效


Hi Everyone, 大家好 

We are having a really strange file vault issue here. We have some machines that encrypt with our config, everything looks fine then, out of the blue, the personal recovery will report as invalid and shows as invalid when I check on the client with fdesetup. Then sometimes, it will resolve itself. Ive even compared DB backups to see if the recovery key changes and it stays exactly the same.我们遇到了一个非常奇怪的文件库问题。有些机器在使用我们的配置进行加密后,一切看起来都很正常,但突然间,个人恢复会报告为无效,当我使用 fdesetup 在客户端上检查时,也显示为无效。有时,它会自行解决。我甚至还比较了数据库备份,看看恢复密钥是否发生了变化,结果还是一模一样。

I hope someone might have some ideas because this could lead to some major issues.我希望有人能给我出出主意,因为这可能会导致一些重大问题。

Thanks 谢谢 

Dave 戴夫 

12 REPLIES  12 回复 12 

rbundonis
 
New Contributor II  新贡献者 II 

Are you using Sites? I've found on my deployments that if you are using Sites and you have the web interface set to a specific site, they you can not see the keys when requested and you get the Invalid error. However, if you switch to Full JSS then you can see the keys and there is no invalid error.您使用的是 Sites 吗? 我在部署过程中发现,如果您使用的是 "站点",并且将网络接口设置为特定站点,那么在请求时就无法看到密钥,并且会出现无效错误。 但如果切换到完整 JSS,则可以看到密钥,也不会出现无效错误。

flyboy
 
Contributor  贡献者 

I'm having a similar issue. The "fix" seems to be booting to the Recovery Partition, unlocking the disk with Disk Utility, running a repair disk (which typically shows no errors to be fixed), and repairing permissions. On reboot and subsequent recon, all is peachy. I say "fix," because well, it's not a fix. I have yet to find a pattern other than it seems to be more common with users that only sleep their computers as opposed to doing an actual reboot. However, it's not exclusive to those people.我也遇到了类似的问题。 修复 "方法似乎是启动到恢复分区,用磁盘工具解锁磁盘,运行修复磁盘(通常不会显示需要修复的错误),然后修复权限。 重启后再重新启动,一切正常。 我说 "修复",是因为这不是修复。 我还没有找到规律,只是这种情况似乎更常见于只让电脑休眠而不是真正重启的用户。 不过,这并不是这些人的专利。

Kevin
 
Contributor II  贡献者二 

Sorry to re-ignyte an old thread, but we are seeing similar behavior. Everything was OK with all of these units. The drives are encrypted and when that occurred, the keys reported as valid. Out of ~400 units encrypted, the number of invalid keys has been creeping up, now to around 15.很抱歉重提旧事,但我们也遇到了类似的情况。这些设备一切正常。 硬盘被加密后,密钥报告为有效。在大约 400 台加密设备中,无效密钥的数量一直在上升,现在大约有 15 个。

FileVault 2 Partition Encryption State:EncryptedFileVault 2 分区加密状态:已加密
Individual Recovery Key Validation:Invalid个人恢复密钥验证:无效
Institutional Recovery Key:Present机构复原 关键:目前

Has anyone else seen this issue and know of a fix?有其他人遇到过这个问题并知道解决方法吗?

dgreening
 
Valued Contributor II  二级重要贡献者 

Typically when we see this it is that the client has not rebooted in several months, and a reboot clears it up.通常,当我们看到这种情况时,客户端已经几个月没有重新启动了,重新启动会清除它。

danny_friedman_
 
New Contributor III  新贡献者 III 

I have started seeing this across my organization. Alarmingly, this seems to be an issue on about half of the machines, and the predominant uptimes are under 20 days. This seems like a very serious issue.我已经开始在我的组织中看到这一点。令人震惊的是,这似乎是大约一半机器的问题,而且主要的正常运行时间不到 20 天。这似乎是一个非常严重的问题。

danshaw
 
Contributor II  贡献者二 

I just wanted to put my hat in the ring. We just started encrypting our fleet of 300 macs. While encryption seems to be going smooth we have now 70 computers that are showing INVALID keys. And this number is slowing increasing each day. Computers that used to be fine are now having issues.我只想把帽子戴在擂台上。我们刚刚开始加密我们的 300 台 mac。虽然加密似乎很顺利,但我们现在有 70 台计算机显示无效密钥。而且这个数字每天都在放缓。过去还好的电脑现在出现了问题。

JAMF Support has recommended rebooting, running first-aid, and also trying out their ReissueKey script.JAMF 支持建议重新启动、运行急救,并尝试他们的 ReissueKey 脚本。

While these options make it work when you try them, those computers just return to an INVALID after a couple days.虽然这些选项在您尝试它们时可以正常工作,但这些计算机会在几天后返回无效状态。

If anyone has found any type of solution I'd love to hear it.如果有人找到了任何类型的解决方案,我很想听听。

koalatee
 
Contributor II  贡献者二 

@danshaw In our experience, invalid doesn't necessarily mean it doesn't work. Something may have been interrupted, the machines haven't re-booted in a while, or some other reporting issue...

But, we have put the reissuekey script in place and it's great. Even better if your management account is a fv2 user on the machine - then it can be done in the background. I wouldn't sweat it though - keep track and maybe fine one that's stayed in there for a few days and just try validating the key that jss has.但是,我们已经将 reissuekey 脚本放在适当的位置,这很棒。如果您的管理帐户是计算机上的 fv2 用户,那就更好了 - 那么它可以在后台完成。不过我不会出汗 - 保持跟踪,也许很好,它已经在那里呆了几天,然后尝试验证 jss 的密钥。

danshaw
 
Contributor II  贡献者二 

Thanks @koalatee - That makes me feel better. Unfortunately our management account isn't a user and we don't have an institutional key in place. So we are pretty dependent on these key's working. If they don't, then we can't access any data if we don't have the users password.谢谢@koalatee - 这让我感觉好多了。不幸的是,我们的管理账户不是用户,我们没有机构密钥。因此,我们非常依赖这些密钥的工作。如果他们没有,那么如果我们没有用户密码,我们就无法访问任何数据。

In a few computers I have tried validating the key using fdesetup and they all have come back false.在几台计算机中,我尝试使用 fdesetup 验证密钥,但它们都返回了 false。

When you say that you have put the script in place, what you exactly mean? Do you do it in the background using your management account? I've put this script in Self Service for users to use, but it requires them to put in their password and reboot their computers. Neither of which they really enjoy doing.当你说你已经把剧本放好了,你到底是什么意思?您是否使用管理账户在后台执行此操作?我已将此脚本放在自助服务中供用户使用,但它要求他们输入密码并重新启动计算机。他们都不是真正喜欢做的事情。

koalatee
 
Contributor II  贡献者二 

@danshaw Our management account isn't a user either, we force the users to do it - but only ones that don't actually have a key (since encryption happened before JSS was implemented). It shouldn't require a reboot though - but I assumed you were calling this reissuekey.sh

You just need to make sure you have a profile deployed to redirect FV2 keys to JSS.您只需要确保已部署配置文件以将 FV2 密钥重定向到 JSS。

ageevarughese
 
New Contributor II  新贡献者 II 

Reigniting the post and looking to see if anyone has anything new to add about this issue as I've been running into this lately. Thanks!重新点燃这篇文章,看看是否有人对这个问题有任何新的东西要补充,因为我最近遇到了这个问题。谢谢!

nickyt
 
New Contributor  新贡献者 

Having the same issues as described above, users will leave the invalid FileVault key group momentarily, and return to the group as if nothing has happened. Would love to have a proper fix!遇到与上述相同的问题,用户将暂时离开无效的 FileVault 密钥组,并返回该组,就好像什么都没发生一样。很想有一个适当的修复!

NGuedes
 
New Contributor III  新贡献者 III 

Hi,你好

Actually experiencing the same now at our instance.实际上,现在在我们的实例中也遇到了同样的情况。
It seems ever since I started to keep track of this, the numbers of invalid or unknown keys don't stop increasing.似乎自从我开始跟踪这一点以来,无效或未知密钥的数量就没有停止增加。

Also made the policy available on Self Service for those devices and already sent a communication for the respective users saying that in a few days they will automatically receive the prompt.此外,还在自助服务上为这些设备提供了该策略,并且已经向相应的用户发送了通信,称他们将在几天内自动收到提示。

Anyone has additional actions or precautions we could take?有人可以采取其他行动或预防措施吗?

Best regards!此致敬意!
来自  https://community.jamf.com/t5/jamf-pro/filevault-2-invalid-recovery-keys/m-p/63612





https://github.com/macadmins/escrow-buddy


普通分类: