-
Notifications
You must be signed in to change notification settings - Fork 12
Workspace ONE
Matt Zaske edited this page Jun 16, 2023
·
7 revisions
For initial deployment of Escrow Buddy, Workspace ONE administrators can follow this template:
This profile ensures all new FileVault keys are escrowed to Workspace ONE at next MDM Protocol Checkin.
- Add Profile > macOS > Device > Disk Encryption
- Configure the Disk Encryption payload
- Recovery Key Type: "Personal"
- Escrow Personal Recovery Key to UEM Server: Enabled
- Most other settings you can leave at default or customize to your organization's needs
- Assign your profile as appropriate for your environment.
This is a suggestion for a Sensor which will help report on which devices do not have their key escrowed. If the device does not have the key escrowed it will request Escrow Buddy (if installed) to regenerate the key.
- Sensors > Add > macOS
- Configure the Sensor:
- Language: Bash
- Execution Context: System
- Response Data Type: String
- Save and assign as appropriate
- Recommend setting Deployment Trigger to "Periodically"
#!/bin/bash FDE_STATUS=$(fdesetup status) ESCROW_PLIST="/var/db/ConfigurationProfiles/Settings/com.apple.security.FDERecoveryKeyEscrow.plist" WS1_LOCATION="VMware AirWatch" PRK_LOCATION="/var/db/FileVaultPRK.dat" WS1_PRK_ISSUER="AwDiskEncryption" echo -n "$FDE_STATUS " if [ "FileVault is On." != "$FDE_STATUS" ]; then exit 0 fi if [ -a "$ESCROW_PLIST" ]; then #verify key location is set correctly escrowLocation=$(defaults read "$ESCROW_PLIST" Location) if [ "$escrowLocation" = "$WS1_LOCATION" ]; then #verify key has been generated prkIssuer=$(/usr/bin/openssl cms -cmsout -in "$PRK_LOCATION" -inform DER -noout -print | /usr/bin/grep "issuer:") if [[ "$prkIssuer" = *"$WS1_PRK_ISSUER"* ]]; then #key is escrowed properly echo "Key Set to be Escrowed to: $(defaults read "$ESCROW_PLIST" Location)" else #key is not escrowed properly echo "KEY NOT ESCROWED" ## ENFORCES KEY REGENERATION VIA ESCROW BUDDY #check if escrow buddy is installed escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle" if [ -d "$escrowBuddyBundle" ]; then #request escrow buddy to regenerate a new key upon next login defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true echo "Escrow Buddy GenerateNewKey Flag Enabled" fi fi else #key is using wrong location - WS1 profile not installed echo "Key not set to escrow to WS1" fi else # FDERecoveryKeyEscrow profile key is missing echo "FDERecoveryKeyEscrow Profile Not Installed" fi exit 0
- Recommend setting Deployment Trigger to "Periodically"
- FileVault if Off.
- FileVault has not been enabled on the device. Ensure you have deployed the Disk Encryption profile.
- FileVault is On. Key Set to be Escrowed to: VMware AirWatch
- FileVault is enabled and key is being escrowed WS1 properly (GOOD STATE)
- FileVault is On. KEY NOT ESCROWED
- FileVault is enabled and key is not being escrowed WS1 properly
- FileVault is On. KEY NOT ESCROWED Escrow Buddy GenerateNewKey Flag Enabled
- FileVault is enabled and key is being escrowed WS1 properly, but Escrow Buddy has been set to regenerate the key
- FileVault is On. Key not set to escrow to WS1
- FileVault is enabled and key is being escrowed, but not to WS1. Perhaps a prior MDM if device has been migrated. Ensure you have configured the Disk Encryption profile properly.
- FileVault is On. FDERecoveryKeyEscrow Profile Not Installed
- FileVault is enabled, but no recovery key has been set to be escrowed. Ensure you have configured the Disk Encryption profile properly.
Latest Escrow Buddy package downloaded from this page
-
Once you have downloaded the pkg, parse the pkg using the VMware Admin Assistant
-
Upload the output (pkg and plist) to WS1 under Resources>Apps>Native
-
Configure the following scripts:
- Install Check Script
#!/bin/bash target_version=1.0.0 appName="Escrow Buddy" escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle" dbEntry="<string>Escrow Buddy:Invoke,privileged</string>" VERSION_KEY="CFBundleShortVersionString" # Check if escrow buddy is installed First if [ -f "$escrowBuddyBundle/Contents/Info.plist" ]; then #get current version of escrow buddy current_version=$(defaults read "$escrowBuddyBundle/Contents/Info.plist" "$VERSION_KEY") echo current version: $current_version #convert version number to individual function version { echo "$@" | /usr/bin/awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; } # Compare with the version we want to install if [ $(version $current_version) -lt $(version $target_version) ]; then # version installed is less than target - install echo "Install $appName" exit 0 else # version installed is same or greater than target echo "$appName is installed" # check if auth db needs repair if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$dbEntry"; then echo "Auth Enabled" exit 1 else echo "Auth Disabled - reinstall" exit 0 fi fi else # escrow buddy is not installed - need to install echo "Install $appName" exit 0 fi
- Uninstall Script
- Assign the app as appropriate for your environment with the following settings:
- App Delivery Method: Auto
- Display in App Catalog: Disabled
- Remove on Unenroll: Enabled
- Desired State Management: Enabled
This function is handled automatically through the use of the Install Check Script and Desired State Management within Workspace ONE.
As the uninstall script is provided in the package deployment details of Workspace ONE, whenever the app is removed (admin initiated, MDM removed, Freestyle, etc.) the app will be removed properly using the script.
If you have Freestyle Orchestrator enabled in your environment, consider using it to assign the app to devices:
- Utilize the Sensor value "FileVault is On. KEY NOT ESCROWED" as the criteria for app install
- In this method also remove the following lines from the Sensor script and add to the app's post install script:
## ENFORCES KEY REGENERATION VIA ESCROW BUDDY #check if escrow buddy is installed escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle" if [ -d "$escrowBuddyBundle" ]; then #request escrow buddy to regenerate a new key upon next login defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true echo "Escrow Buddy GenerateNewKey Flag Enabled" fi