Creating Institutional & Personal Recovery Keys for Filevault

mdmike
Comes here often

Creating Institutional & Personal Recovery Keys for Filevault

The instructions for creating institutional and personal recovery keys for Filevault through Meraki Systems Manager are extremely slim, so I'd really appreciate some specific help setting them up on a couple new MacBook Airs I'm deploying.

 

This page (the only Systems Manager instructions I can find on the topic) explains how to decrypt, but not how to encrypt. Instead, at the bottom of the page, it says "Feel free to reference these instructions from Apple as well." Does that mean we should follow Apple's instructions in place of any instructions from Meraki? Or just be aware of them as an alternative? If the former, how do we connect the institutional key from those instructions to Systems Manager? (If it matters, we're enrolled in Apple's DEP.)

 

If I'm setting these machines for deployment, should I create a profile that causes the user to skip the Filevault setup (because I would have already set that up), or that forces the user to follow it (in order to create his/her own additional individual key)?

 

Also, I'm a little unclear on the overall concept here -- does this approach mean the same institutional key can be used on any Mac set up this way? Or does it somehow create a separate one for each (which would seem to be a much more secure approach)? If the former, how does one go about setting up new Macs to use the same key once you have already created an institutional key? (I thought I had created one in the past, but can't seem to locate any instructions referencing the steps I was supposed to take. Maybe because this process changed from Sierra to High Sierra with the advent of APFS?) 

 

Thanks for any assistance.

8 REPLIES 8
jared_f
Kind of a big deal

@mdmike 

 

In simpler terms you have three options when forcing file vault for your computers:

(1) Institutional Recovery Key (the IT department holds the code)

(2) Institutional & Personal (the IT department holds the code & the user of the device)

(3) Personal (user only holds the code)

 

From what it sounds like you want the IT department to hold the code. It is as simple as pushing out the following configuration and entering a password:

 

Screen Shot 2017-12-09 at 9.43.08 AM.png

If you ever need to decrypt a device you will use the instructions in this article here. Basically, you are using the downloaded recovery certificate from that configuration above.

 

From a security standpoint, this is very secure. Yes, the same certificate can be used to unlock the device, but nobody besides IT should ever have access to this certificate. If this is a big concern you could push out individual profiles to each device. 

 

I hope that helps clarify things,

Jared 

Did this help? Click the kudos (the up arrow) button.

 

 

 
 
Find this helpful? Click the kudos button. Thanks!
mdmike
Comes here often

Thanks for your reply, @jared_f

 

I'm trying to create both institutional and personal recovery keys.

 

To create both keys, do I need to follow Apple's instructions here that Meraki references as well?

 

jared_f
Kind of a big deal

@mdmike Apple's instructions seem that they are for creating a master without using a profile. Push the Meraki profile with the option institutional and person recovery keys.

 
Jared
Find this helpful? Click the kudos button. Thanks!
mdmike
Comes here often

So what you're saying is that Meraki somehow automagically sends the FileVaultMaster.keychain file to the device and puts it in the Library>Keychains folder, and I don't have to do it manually?

 

Or do I need to do it manually?

 

And whichever way I do it, how do I know if both keys are set? When I turn on Filevault, it gives me a private key, but says nothing about an institutional key. (Again, I'm wanting both.)

 

jared_f
Kind of a big deal

@mdmike The institutional key would be stored on Meraki and be accssed by someone who is using the dashbboard (in this case you), the persoanl key would be on the computer/user has it. When you scope out the payload from Meraki that takes care of the institutional side. In my opinion, having your devices tied to the MDM server and having file vault set by Meraki should be more than secure. Also, if you install the Meraki Agent you will have even more control over the machine and can even run remote terminal commands if necessary.

 

 

 
Find this helpful? Click the kudos button. Thanks!
mdmike
Comes here often

Uggh. It looks like you're right. I moved the FileVault.keychain file to the machine (as instructed in this Apple document referenced by the Meraki SM instructions) and started encrypting via Filevault. It told me an institutional key had been set, did not provide a personal key, and began encrypting.

 

Looks like I'll have to wait for it to encrypt, then decrypt, then remove the key, then try encrypting again??

@jared_f

 

I must be missing a step, enabled filevault, selected "institutional key" for Encryption as i only want IT to hold the key clicked save and nothing happens.  

 

isnt it supposed to automagically start encrypting once the profile updates? 

mdmike
Comes here often

.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels