• Stars
    star
    194
  • Rank 200,219 (Top 4 %)
  • Language
    Objective-C
  • License
    Apache License 2.0
  • Created over 1 year ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A macOS authorization plugin that helps MDM administrators ensure valid FileVault keys are escrowed for all their Macs.

Escrow Buddy

Escrow Buddy is a macOS authorization plugin that allows MDM administrators to generate and escrow new FileVault personal recovery keys on Macs that lack a valid escrowed key in MDM.

For more context around the problem of missing FileVault keys in MDM and Escrow Buddy's origin, see this post on the Netflix Tech Blog.

If you've successfully deployed Escrow Buddy, we'd love to know the details in this brief survey. Thank you!


Requirements

  • Your managed Macs must:
    • be enrolled in an MDM
    • have macOS Mojave 10.14.4 or newer
  • Your MDM must:
    • support FileVault recovery key escrow
    • deploy a configuration profile with the FDERecoveryKeyEscrow payload
    • have the ability to install packages and run shell scripts

NOTE: Escrow Buddy only works with MDM-based escrow solutions, not escrow servers like Crypt Server or Cauliflower Vest.


Deployment

  1. Ensure you have an escrow profile scoped to all Macs with the FDERecoveryKeyEscrow payload.

    This will ensure that any newly generated FileVault recovery key, no matter how it's generated, will be escrowed to your MDM server.

  2. Use your MDM to install the latest Escrow Buddy installer package on your Macs.

    You can choose to install on all Macs or limit to those that need FileVault recovery keys escrowed.

  3. Use your MDM to run this command (in root context) on Macs that do not have a valid FileVault recovery key escrowed:

     defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
    

    It is recommended to have this script run dynamically on Macs that need it using your MDM's dynamic scoping feature. See the Examples page for examples.

That's it! The next time a FileVault-authorized user logs in to the Mac, a new FileVault personal recovery key will be generated and escrowed to your MDM.


Support

See the wiki for Frequently Asked Questions and Troubleshooting resources.

If you've read those pages and are still having problems, please search our issues (both open and closed) to see whether your issue has already been addressed there. If not, you can open an issue.

For a faster and more focused response, be sure to provide the following in your issue:

  • Log output (see wiki for information on retrieving logs)
  • macOS version you're deploying to
  • MDM (name and version) you're using
  • What troubleshooting steps you've already taken

Contribution

Contributions are welcome! To contribute, create a fork of this repository, commit and push changes to a branch of your fork, and then submit a pull request. Your changes will be reviewed by a project maintainer.

Contributions don't have to be code; we appreciate any help maintaining our wiki or answering issues.

Also, if you've successfully deployed Escrow Buddy at your organization, please consider submitting our brief survey for measuring the project's community impact.


Credits

Escrow Buddy was created by the Netflix Client Systems Engineering team.

The Crypt project was a major inspiration in the creation of this tool — huge thanks to Graham, Wes, and the Crypt team! Jeremy Baker and Tom Burgin's 2015 PSU MacAdmins session on authorization plugins was also a valuable resource.

Escrow Buddy is licensed under the Apache License, version 2.0.

More Repositories

1

nudge

A tool for encouraging the installation of macOS security updates.
Swift
1,020
star
2

SplashBuddy

Onboarding splash screen for MDM and Automated Device Enrollment.
Swift
402
star
3

installapplications

A tool for dynamically using installapplication
Python
285
star
4

umad

A tool to help users with pre-existing devices enroll into MDM
Python
279
star
5

python

Framework files for use with popular python macadmin toolsets
Shell
229
star
6

nudge-python

A tool to help users with pre-existing devices upgrade their OS version.
Python
213
star
7

outset

Automatically process packages and scripts during boot, login, or on demand.
Swift
149
star
8

sofa

SOFA | A MacAdmin's Simple Organized Feed for Apple Software Updates
Python
133
star
9

osquery-extension

An osquery extension for endpoint engineers
Go
95
star
10

nibbler

python pyobjc utility for macOS for displaying dialogs using .nib files
Python
82
star
11

SupportCompanion

macOS helper application designed to empower end-users
C#
55
star
12

jamf-pro-sdk-python

A client library for the Jamf Pro APIs and webhooks.
Python
46
star
13

sashay

DEPRECATED - Scrape caching server logs and send periodic reports
Python
37
star
14

munki-builds

23
star
15

docker-mwa2

Python
22
star
16

apple-status-api

Publish Apple service status notifications as a simple REST API
Python
20
star
17

dockset

It's like outset, but for your Dock
Python
17
star
18

macadmins.io

HTML
17
star
19

puppet-apple_package

Ruby
12
star
20

chef-cookbooks

Metarepo for all known macOS related Chef Cookbook repos
12
star
21

ddm_examples

Examples of DDM on macOS for use with kmfddm
Makefile
11
star
22

munkireport-php

Docker autobuild repo for Munkireport-PHP
PHP
10
star
23

unfs3

Docker image for running unfs3, a user space NFS server
Shell
10
star
24

puppet-macauthdb

Manage the OS X authorization database with puppet.
Ruby
9
star
25

postgres

Docker container for postgres that accepts remote connections from Docker IPs
Shell
8
star
26

puppet-xcode_tools

Puppet module to install the Xcode CLI Tools
Ruby
7
star
27

netboot-httpd

Docker container for serving netboot image over http. Use in combination with BSDPy
Nginx
7
star
28

puppet-launchd

Puppet
5
star
29

puppet-client_stdlib

Ruby
4
star
30

puppet-remotemanagement

Ruby
4
star
31

ddm_infra

Example Repo for setting up a nanoMDM + kmfddm server.
Shell
3
star
32

ddm_testing

Repo for working with MAOS-hosted test servers
3
star
33

puppet-authpluginmech

A method of managing mechanisms for authorization plugins
Ruby
3
star
34

crypt-server-ldap

Python
3
star
35

puppet-sal_client

Configuration of a Sal client using Puppet
Puppet
2
star
36

docker-makecatalogs

Docker image that will run makecatalogs
Shell
2
star
37

whd

Docker container for WebHelpDesk
Shell
2
star
38

macnamer

Docker image for Macnamer
Python
1
star
39

salWHD

Docker container for sal + Sal-WHDImport + JSSImport
Shell
1
star
40

puppet-gatekeeper

enables gatekeeper.
Ruby
1
star