Meraki

Community

Creating Institutional & Personal Recovery Keys for Filevault

mdmike
Comes here often
‎Dec 7 2017 5:24 PM
‎Dec 7 2017 5:24 PM

Creating Institutional & Personal Recovery Keys for Filevault

The instructions for creating institutional and personal recovery keys for Filevault through Meraki Systems Manager are extremely slim, so I'd really appreciate some specific help setting them up on a couple new MacBook Airs I'm deploying.

 

This page (the only Systems Manager instructions I can find on the topic) explains how to decrypt, but not how to encrypt. Instead, at the bottom of the page, it says "Feel free to reference these instructions from Apple as well." Does that mean we should follow Apple's instructions in place of any instructions from Meraki? Or just be aware of them as an alternative? If the former, how do we connect the institutional key from those instructions to Systems Manager? (If it matters, we're enrolled in Apple's DEP.)

 

If I'm setting these machines for deployment, should I create a profile that causes the user to skip the Filevault setup (because I would have already set that up), or that forces the user to follow it (in order to create his/her own additional individual key)?

 

Also, I'm a little unclear on the overall concept here -- does this approach mean the same institutional key can be used on any Mac set up this way? Or does it somehow create a separate one for each (which would seem to be a much more secure approach)? If the former, how does one go about setting up new Macs to use the same key once you have already created an institutional key? (I thought I had created one in the past, but can't seem to locate any instructions referencing the steps I was supposed to take. Maybe because this process changed from Sierra to High Sierra with the advent of APFS?) 

 

Thanks for any assistance.

Labels:
0 Kudos
8 Replies 8
jared_f
Kind of a big deal
‎Dec 9 2017 6:50 AM
‎Dec 9 2017 6:50 AM

@mdmike 

 

In simpler terms you have three options when forcing file vault for your computers:

(1) Institutional Recovery Key (the IT department holds the code)

(2) Institutional & Personal (the IT department holds the code & the user of the device)

(3) Personal (user only holds the code)

 

From what it sounds like you want the IT department to hold the code. It is as simple as pushing out the following configuration and entering a password:

 

Screen Shot 2017-12-09 at 9.43.08 AM.png

If you ever need to decrypt a device you will use the instructions in this article here. Basically, you are using the downloaded recovery certificate from that configuration above.

 

From a security standpoint, this is very secure. Yes, the same certificate can be used to unlock the device, but nobody besides IT should ever have access to this certificate. If this is a big concern you could push out individual profiles to each device. 

 

I hope that helps clarify things,

Jared 

Did this help? Click the kudos (the up arrow) button.

 

 

 
 
Find this helpful? Click the kudos button. Thanks!
0 Kudos
In response to jared_f
mdmike
Comes here often
‎Dec 9 2017 7:57 PM
‎Dec 9 2017 7:57 PM

Thanks for your reply, @jared_f

 

I'm trying to create both institutional and personal recovery keys.

 

To create both keys, do I need to follow Apple's instructions here that Meraki references as well?

 

0 Kudos
In response to mdmike
jared_f
Kind of a big deal
‎Dec 10 2017 12:03 PM
‎Dec 10 2017 12:03 PM

@mdmike Apple's instructions seem that they are for creating a master without using a profile. Push the Meraki profile with the option institutional and person recovery keys.

 
Jared
Find this helpful? Click the kudos button. Thanks!
0 Kudos
In response to jared_f
mdmike
Comes here often
‎Dec 16 2017 2:34 PM
‎Dec 16 2017 2:34 PM

So what you're saying is that Meraki somehow automagically sends the FileVaultMaster.keychain file to the device and puts it in the Library>Keychains folder, and I don't have to do it manually?

 

Or do I need to do it manually?

 

And whichever way I do it, how do I know if both keys are set? When I turn on Filevault, it gives me a private key, but says nothing about an institutional key. (Again, I'm wanting both.)

 

0 Kudos
In response to mdmike
jared_f
Kind of a big deal
‎Dec 16 2017 6:07 PM
‎Dec 16 2017 6:07 PM

@mdmike The institutional key would be stored on Meraki and be accssed by someone who is using the dashbboard (in this case you), the persoanl key would be on the computer/user has it. When you scope out the payload from Meraki that takes care of the institutional side. In my opinion, having your devices tied to the MDM server and having file vault set by Meraki should be more than secure. Also, if you install the Meraki Agent you will have even more control over the machine and can even run remote terminal commands if necessary.

 

 

 
Find this helpful? Click the kudos button. Thanks!
0 Kudos
In response to jared_f
mdmike
Comes here often
‎Dec 17 2017 1:34 PM
‎Dec 17 2017 1:34 PM

Uggh. It looks like you're right. I moved the FileVault.keychain file to the machine (as instructed in this Apple document referenced by the Meraki SM instructions) and started encrypting via Filevault. It told me an institutional key had been set, did not provide a personal key, and began encrypting.

 

Looks like I'll have to wait for it to encrypt, then decrypt, then remove the key, then try encrypting again??

0 Kudos
In response to jared_f
zenu
New here
‎Feb 1 2018 2:12 PM
‎Feb 1 2018 2:12 PM

@jared_f

 

I must be missing a step, enabled filevault, selected "institutional key" for Encryption as i only want IT to hold the key clicked save and nothing happens.  

 

isnt it supposed to automagically start encrypting once the profile updates? 

0 Kudos
In response to zenu
mdmike
Comes here often
‎Mar 29 2019 2:21 PM
‎Mar 29 2019 2:21 PM

.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.