Meraki

Community

Filevault Personal Recovery key escrow

sshort
Building a reputation
‎Apr 25 2018 1:01 PM
‎Apr 25 2018 1:01 PM

Filevault Personal Recovery key escrow

@Melissa Do you have any insight on updated documentation for the new FileVault personal key escrow payload?

 

https://documentation.meraki.com/SM/Profiles_and_Settings/Using_File_Vault_2

 

The FV2 personal key escrow is a separate payload from the "standard" filevault settings, and there's a required field that's essentially a black hole b/c I can't find any info on finding or generating the requested certificate.

 

Right now I created a test Filevault payload that only enforces a personal recovery key and pushed to a single Mac client so that I can try and pull the mobileconfig/plist apart using the suggestions on this page to get the cert: https://www.macblog.org/post/how-to-manage-only-filevault-recovery-key-escrow-with-jamf-pro/

 

Would be nice if the dropdown menu on this payload was pre-filled with my existing FileVault profile, or a quick template that has Meraki auto-generating the required cert for me...

 

Screen Shot 2018-04-25 at 2.54.05 PM.png       Screen Shot 2018-04-25 at 2.53.43 PM.png

Labels:
3 Replies 3
Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Apr 25 2018 1:04 PM
‎Apr 25 2018 1:04 PM

Hi @sshort! We should have a new guide on this configuration setting posted soon on our Documentation site. I'll post a link to it in the Community asap!

 

 

0 Kudos
In response to Melissa
sshort
Building a reputation
‎May 7 2018 11:30 AM
‎May 7 2018 11:30 AM

Ok, there's some updated documentation on FileVault escrow but you need to "fill-in-the-blank" by generating your own public/private ssl cert to upload to Meraki. Also: as noted in Meraki's documentation this will not work on existing deployments. Newly enrolled devices (or freshly re-imaged Macs) will be able to take advantage of the escrowed keys. The escrow payload must be installed before (or simultaneously) with a separate FV personal + institutional key payload for this to work.

 

 Generate the public key certificate in Terminal using openssl:

https://developer.xero.com/documentation/api-guides/create-publicprivate-key

 

OR this site (scroll down to the create SSL section): http://brianflove.com/2014/12/01/self-signed-ssl-certificate-on-mac-yosemite/

0 Kudos
In response to sshort
didacf
Just browsing
‎May 20 2018 6:50 PM
‎May 20 2018 6:50 PM

Hey 


I just did the same, in the documentation, it was missing to either do a self-signed certificate or use a CSR to your own CA authority. It worked great!!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.