-
Notifications
You must be signed in to change notification settings - Fork 11
Addigy
Elliot Jordan edited this page Oct 17, 2023
·
3 revisions
Escrow Buddy is a stop gap measure to get personal recovery keys that are missing! Enforcement should be happening via an MDM profile.
See these two Addigy KB articles, in addition to the specifics below.
- Reissue FileVault Recovery Keys with Escrow Buddy
- Enforcing FileVault with Addigy Mobile Device Management (MDM)
An MDM profile that looks like this should be in place before deployment.
- Catalog > MDM Profiles > New > Security and Privacy > FileVault
- Click Include on the first entry and ensure everything is selected
- Enable FileVault
- Defer Enablement until Logout or Login
- Create personal FileVault recovery key
- Prevent FileVault from being disabled
- Escrow Personal Recovery Key
I'd recommend using monitoring with a built in remediation.
Catalog > Monitoring
- Name > Regenerate FileVault with Escrow Buddy
Alert Trigger
- Device Fact > FileVault Key Escrowed = False
Notification
- Put in your email if you want to get notified about this running
Automated Remediation
- Enable Remediation > Deploy Manual Script
#!/bin/bash
###
#
# Name: RunAndInstallEscrowBuddy
# Description: This script downloads and installs the latest release of
# Escrow Buddy, a security agent plugin for macOS.
# It's really just a slimmed down version of Tobias Almén's
# InTune deployment script
# Author: Zac Bolick, but mostly Tobias Almén
# Created: 2023-08-28
# Last Modified: 2023-08-28
# Version: 1.0.0
#
###
# Function that installs the latest release pkg for Escrow Buddy from GitHub
function installEscrowBuddy() {
eb_url="https://api.github.com/repos/macadmins/escrow-buddy/releases/latest"
response=$(/usr/bin/curl --silent "$eb_url")
download_url=$(echo "$response" | grep -o '"browser_download_url": "[^"]*' | grep -o '[^"]*$' | grep -i '\.pkg$')
if ! /usr/bin/curl -L -s "$download_url" -o "/tmp/Escrow.Buddy.pkg"; then
echo "Download failed"
exit 1
fi
/usr/sbin/installer -pkg "/tmp/Escrow.Buddy.pkg" -target /
}
# Function that checks the authorization database, and if Escrow Buddy isn't
# configured properly, triggers reinstallation of Escrow Buddy
function authorizationdbCheck() {
DBENTRY="<string>Escrow Buddy:Invoke,privileged</string>"
if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$DBENTRY"; then
echo "authorizationdb entry is configured"
else
echo "authorizationdb entry is not configured, re-installing Escrow Buddy"
installEscrowBuddy
fi
}
# Function that configures Escrow Buddy to generate a new key if one hasn't
# already been generated
function remediate() {
# If the key has been escrowed, exit
if [ -f "/var/db/FileVaultPRK.dat" ]; then
echo "Key has been escrowed"
# If the key has not been escrowed, set GenerateNewKey to true
else
echo "Key has not been escrowed"
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
fi
}
authorizationdbCheck
remediateTo uninstall Escrow Buddy using Addigy, configure this uninstall script to run on the specified Macs.