Workspace ONE

Contents

• Deployment
  • Profile: Disk Encryption
  • Sensor
  • Installing Escrow Buddy
    • Deploying pkg to Devices
      • Automated Authorization Database Maintenance
      • Removing pkg from Devices
• Other Workspace ONE Tips
  • Using Freestyle Orchestrator

Deployment

For initial deployment of Escrow Buddy, Workspace ONE administrators can follow this template:

Profile: Disk Encryption

This profile ensures all new FileVault keys are escrowed to Workspace ONE at next MDM Protocol Checkin.

• Add Profile > macOS > Device > Disk Encryption
• Configure the Disk Encryption payload
  • Recovery Key Type: "Personal"
  • Escrow Personal Recovery Key to UEM Server: Enabled
  • Most other settings you can leave at default or customize to your organization's needs
• Assign your profile as appropriate for your environment.

Sensor

This is a suggestion for a Sensor which will help report on which devices do not have their key escrowed. If the device does not have the key escrowed it will request Escrow Buddy (if installed) to regenerate the key.

• Sensors > Add > macOS
• Configure the Sensor:
  • Language: Bash
  • Execution Context: System
  • Response Data Type: String
• Save and assign as appropriate
  • Recommend setting Deployment Trigger to "Periodically"

    #!/bin/bash
    FDE_STATUS=$(fdesetup status)
    ESCROW_PLIST="/var/db/ConfigurationProfiles/Settings/com.apple.security.FDERecoveryKeyEscrow.plist"
    
    echo -n "$FDE_STATUS "
    
    if [ "FileVault is On." != "$FDE_STATUS" ]; then
        exit 0
    fi
    
    if [ -a "$ESCROW_PLIST" ]; then
        echo "Key Set to be Escrowed to: $(defaults read "$ESCROW_PLIST" Location)"
    else
        echo "KEY NOT ESCROWED"
        #check if escrow buddy is installed
        escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
        if [ -d "$escrowBuddyBundle" ]; then
          #request escrow buddy to regenerate a new key upon next login
          defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
        fi
    fi
    
    exit 0

Installing Escrow Buddy

Latest Escrow Buddy package downloaded from this page

Deploying pkg to Devices

1. Once you have downloaded the pkg, parse the pkg using the VMware Admin Assistant
2. Upload the output (pkg and plist) to WS1 under Resources>Apps>Native
3. Configure the following scripts:

• Install Check Script

#!/bin/bash

target_version=1.0.0
appName="Escrow Buddy"
escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
dbEntry="<string>Escrow Buddy:Invoke,privileged</string>"
VERSION_KEY="CFBundleShortVersionString"

# Check if escrow buddy is installed First
if [ -f "$BUNDLE_PATH/Contents/Info.plist" ]; then
  #get current version of escrow buddy
  RESULT=$(defaults read "$BUNDLE_PATH/Contents/Info.plist" "$VERSION_KEY")
  echo current version: $current_version

  #convert version number to individual
  function version { echo "$@" | /usr/bin/awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; }

  # Compare with the version we want to install
  if [ $(version $current_version) -lt $(version $target_version) ]; then
    # version installed is less than target - install
    echo "Install $appName"
    exit 0
  else
    # version installed is same or greater than target
    echo "$appName is installed"
    # check if auth db needs repair
    if /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$dbEntry"; then
      echo "Auth Enabled"
      exit 1
    else
      echo "Auth Disabled - reinstall"
      exit 0
    fi
  fi
else
  # escrow buddy is not installed - need to install
  echo "Install $appName"
  exit 0
fi

• Uninstall Script

4. Assign the app as appropriate for your environment with the following settings:

• App Delivery Method: Auto
• Display in App Catalog: Disabled
• Remove on Unenroll: Enabled
• Desired State Management: Enabled

Automated Authorization Database Maintenance

This function is handled automatically through the use of the Install Check Script and Desired State Management within Workspace ONE.

Removing pkg from Devices

As the uninstall script is provided in the package deployment details of Workspace ONE, whenever the app is removed (admin initiated, MDM removed, Freestyle, etc.) the app will be removed properly using the script.

Other Workspace ONE Tips

Using Freestyle Orchestrator

If you have Freestyle Orchestrator enabled in your environment, consider using it to assign the app to devices:

• Utilize the Sensor value "KEY NOT ESCROWED" as the criteria for app install
• In this method also remove the following lines from the Sensor script and add to the app's post install script:

#check if escrow buddy is installed
escrowBuddyBundle="/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
if [ -d "$escrowBuddyBundle" ]; then
  #request escrow buddy to regenerate a new key upon next login
  defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
fi