Ability to view personal recovery key after FileVault for a macOS device

Content

From 10.65 release, MaaS360 introduces capabilities for macOS 10.13+ devices to view recovery keys such as personal key and institutional key of a device in the Device View page.

This feature enables administrators to access recovery key of a device from the MaaS360 portal to perform any recovery actions. Depending upon the type of File Vault recovery method that is chosen by administrator for a device, either personal key or institutional key or both are displayed in the Device View.

As part of Apple’s FileVault 2 encryption, Apple introduces recovery keys. These keys are a backup method to unlock FileVault 2 encryption in the event of logging in by using a user’s account password that is not available.

There are two types of recovery keys available:

1. Personal recovery keys–These are recovery keys that are automatically generated at the time of encryption process. These keys are generated as an alphanumeric string and are unique to the machine that is being encrypted. In the event that an encrypted Mac is decrypted and then again re-encrypted, the existing personal recovery key would be invalid and a new personal recovery key would be created as part of the encryption process.
2. Institutional recovery keys–These are pre-generated recovery keys by administrators that can be installed on a system prior to encryption and most often used by a company, school or institution to have one common recovery key that can be used to unlock their managed encrypted systems.

How to create Institutional Cert and Keychain?

Institutional keys need to be properly generated before they can be used. To generate Certificate or Keychain file, follow the steps mentioned in the Apple Document: https://support.apple.com/en-in/HT202385 up until "Deploy the updated master keychain on each Mac"

Keep a copy of the Master Keychain file in a safe place.

Note: Remember the password for future use to unlock any macOS machine that use Institutional Keychain to encrypt the device.

The FileVaultMaster.Keychain file is generated and stored in /Library/Keychains folder.  Open the Keychain Access program and right click on the FileVault Recovery Key certificate and export it as a .CER file.

FileVaultMaster.cer (Public Key) is uploaded to the Institutional Recovery Key > Certificate. This is used for encryption and is mandatory to enable FileVault Encryption on end client devices.

FileVaultMaster.Keychain (Private Key) is optional to upload for Institutional Recovery Key > Keychain. This is used for encryption and used to unlock the devices which are locked after encryption.

How to Configure FileVault 2 by using Personal Recovery Key?

1. Administrator can configure the FileVault settings from Security > Policies > select an macOS MDM policy > Configuration > FileVault as illustrate in the image.
   Note: Only administrator can login and check the Personal Recovery Key generated for respective device from Device View > FileVault Recovery Key action.

• Use Personal Recovery Key: Check-mark this option to use personal recovery key for FileVault.
• Show Personal Recovery Key: To show recovery key to user during restart on enabling FileVault 2 on macOS device, checkmark this option. You can either show or opt not to show personal recovery key to user.

2. On pushing Personal Key payload to device, user can restart or logout so that you are prompted to enter user password to turn on the FileVault Encryption as illustrated in the image.

3.  Enter password to start encryption on the device.

  On completion of encryption, FileVault recovery key is displayed in System Preferences > FileVault.

How to Configure FileVault 2 by using Institutional Recovery Key?

1. Upload and choose FileVault MasterCertificate (Public Key)  to enable Institutional Recovery Key on macOS devices.
2. (Optional) Upload and choose FileVault Master Keychain (Private Key). Using this key enables administrator to get the Recovery Key on portal.
   Note: Only administrator can login and check the Institutional Recovery Key that is generated for respective device from Device View > FileVault Recovery Key action only if Use Keychain is chosen during policy configuration.
   The Institutional Key will be available as Download link for admin with name InstitutionalKey_<billingID>_<deviceID>.
3. Upload FVMaster Cert and FVMasterKeychain as follows in the Policy payload. Administrator can configure the FileVault settings from Security > Policies > select an iOS MDM policy > Configuration > FileVault.

4. On pushing Institutional Key payload to device, user can restart or logout so that you are prompted to enter user password to turn on the FileVault Encryption as illustrated in the image.

5. Open /Library/Keychains folder. The FileVaultMaster.Keychain file is displayed as illustrated in the image upon restart and encryption starts for Institutional Key.

On completion of the encryption, FileVault recovery key is displayed in System Preferences > FileVault.

How to use both Personal and Institutional Recovery Keys for FileVault Recovery?

1. Administrator can configure the FileVault settings from Security > Policies > select an iOS MDM policy > Configuration > FileVault.
   Note: Only administrator can login and check the Institutional Recovery Key generated for respective device from Device View > FileVault Recovery Key based on policy configuration.

2. On pushing Personal and Institutional Key payload to device, user can restart or logout so that you are prompted to enter user password to Turn on the FileVault Encryption similar to how we configure either personal or institutional recovery keys.

   On completion of encryption, FileVault recovery key is displayed in System Preferences > FileVault.

Note: You can also get FileVault Recovery Key from Device View > More > FileVault Recovery Key as illustrated in the image. Based on the type of FileVault recovery key configuration, personal recovery key, or institutional recovery key, or both keys are generated.

Note: Before pushing FileVault payload with Institutional key, check whether FileVaultMaster.Keychain file is located under /Library/Keychains if it exists we need to remove existing .keychain and push payload to the device to start encryption.