jamf connect filevault

I would expect this account would get a different UID, depending on the order which one would be created first. So I’m a little confused on how to add this key to the plist? Re-Direct FileVault keys to Jamf Pro. Specifies a custom file path for the PRK rather than using /var/db/NoMADFDE by default. For standard account you still need to enable it via LAPS for which the additional admin password will change. This document will outline how to enable FileVault2 on MacOS Systems that are managed by JAMF Pro. interesting, ok thank you for your input. So for example: if the need is there to rotate the FV key, will Jamf Connect update the management password as well? It is kinda pointless then… Super interested in this! An existing local administrator must be on the computer to use this method. This because you need an account with a secure token to reset the password of an account with a secure token. If you use Jamf Connect to enable FileVault for local administrator and standard accounts, remove the LAPS User (LAPSUser) setting from login window configuration profiles that are deployed to computers with macOS 11. Description: Used to configure how FileVault is enabled with Jamf Connect. In view of what is happening to the world nowadays… with most people working remotely, how often doe you really need a tokenized admin… anyway, the above is possible to script. After the computer starts up, and the user is presented with a FileVault login window. Because it’s not the first account interactively signing in into the Mac! This guide provides step-by-step instructions for administering FileVault on macOS 10.14 or later with Jamf Pro. For related information about macOS Security, see the following documentation from Apple: https://www.apple.com/business/resources/docs/macOS_Security_Overview.pdf. A script will be the only way if laps or bootstrap is not enough to achieve the goal. Remember that since macOS 10.14.2 enabling FileVault via any possible method, on a system with NO Secure Token was fixed. this is helpful. The jamf management account does not qualify for this. Hi kat. Now we don’t show the jamf management account in the prestage anymore, only the additional admin account which you can create. I prefer to hide the admin user in Users & Groups. FileVault / Encryption, Jamf, Jamf Connect, Secure Tokens. If you don’t care about having a local admin with a Secure Token, hence you don’t care about having a local admin which is FileVault enabled, and you don’t care about potentially needing to manipulate tokens (as in granting other accounts a Secure Token to enable them for FileVault) in the future… all is good! could that work? Actually a good start to have things nicely secured and FV in place as from the moment the end user starts using the Mac! Jamf Now can ensure that all enrolled Macs are protecting data using Apple's built-in FileVault full disk encryption (XTS-AES 128). Logins on FileVault Encrypted Computers. Under the "App or Service" heading, click Save. To prevent the macOS login process from skipping Jamf Connect Login when FileVault is enabled, you can disable automatic login on computers. This is handy if you forget the password to the Mac and still need to get access. I’m banging my head back and forth with this. However, because the admin which got a token via laps has the password set ti the recovery key, you can fully automate the creation of a second admin and give it a token via the recovery key as password for the already tokenised account… remember that jamf connect enablefde feature can write the recovery key to a specified path via EnableFDERecoveryKeyPath key. Hi all, ADFS… one of those things… As there is an ongoing discussion about the matter on my Upgrade to Jamf Connect 2.0 post, I had to test some things.I did not have time to do so prior to this discussion, but it was obviously on my to do list. Thank you again for your comprehensive answer. I’d open a case with support regarding that recover key plist. A repository for Jamf Connect scripts, configuration profile templates, and legacy content. If an institution recovery key is deployed prior to enabling FileVault via Jamf Connect, that should work if the end user created via Jamf Connect is an admin. Proudly powered by WordPress | Theme: Rowling by Anders Norén. New to Uber? Apple, Microsoft and Google all have unique workflows to provision, encrypt, deploy, secure, update and support enterprise technology. Also the industry trend is moving away from binding to Active Directory. When you use Jamf Now to set up FileVault, the recovery keys will be stored. Log in to Jamf … Use this link to book and get 15€ of your booking. Sorry for this rookie question . To learn more about FileVault, see the following Apple documentation: macOS Security. Notify me of follow-up comments by email. I totally agree with kevinmcox as there might be something wrong with original config as no security software needs users to be "admins". @Clint Depending the deployment and prestage account creation options, you might want to check Catalina Bootstrap functionality and use additional admin account to be Tokenized. So with JCL creating a standard account without Laps, you will need a script anyway. Most about them have been said anyway. I’m not planning to let user enroll their devices themself. Just enable the escrow functionality for FileVault via a profile, and the key will be nicely send to Jamf upon creation! Hence again, with Secure Token. So if you give a user the PRK, change the management account info on file and execute a policy to ‘change’ the management account password. It can’t just create tokens without enabling FileVault, hence you need to enable FV via Jamf Connect. The following diagram shows how this setting ensures Jamf Connect is not bypassed during login: To disable automatic login on computers, you can upload the following PLIST file using the Custom Settings payload in your MDM solution. By integrating Jamf Connect and Jamf Pro, FileVault encryption will be enabled immediately upon the first login instead of enabling it during the login process and then requiring the user to sign back out. LAPS is one solution to give 1 admin a token apart from the en user getting one too. Make sure you specify the following preference domain: com.apple.loginwindow. Moment of truth! This setting is only used by Jamf Connect to help enable FileVault on standard accounts on macOS 10.15 or later. FileVault is full disk encryption for Mac. Federico Joly says: 27-11-2020 at 15:44 To obtain this configuration profile for upload, see the following from Jamf's GitHub repository: https://github.com/jamf/Jamf-Connect-Resources/blob/master/Jamf-Connect-PPPC-FileVault.mobileconfig. I’ve had no luck getting this to work. Introduction. bye bye zero touch, Make sure you do not enable FileVault, promote your end user to admin, enable FileVault, grant your admin a token, demote your end user… again scripting madness…, Whatever other possible option or voodoo script you might find. 1 to read the plist with the recovery key, a second do use sysadminctl command to pass the token. You can still specify this account to be hidden from users and groups in the prestage. Once before the Setup Assistant during enrollment and the second time when the JAMF binary will be installed? Azure, Bootstrap, DEP, Jamf Connect, macOS Catalina, Secure Tokens. Well, I hope it doesn’t come as a surprise, but it’s actually nothing more than a combination of everything we discussed so far. ... Connect your Apple users. It needs to be set manually in the plist. Keep the following security and user experience considerations in mind when choosing to use Jamf Connect and FileVault on computers: User Data Protections on macOS 10.15 or later—To ensure FileVault is enabled and users are not locked out of computers with Jamf Connect, a Privacy Preferences Policy Control (PPPC) configuration profile must be installed on computers with macOS 10.15 or later. The first FileVault enabled user account on a computer cannot be a standard user account. Apart from that you’ll need to script a password change passing the valid, current admin credentials of a SecureToken admin account, or it’s own credentials. As you may have heard, Jamf recently acquired Orchard & Grove, the makers of NoMAD. If both are done, wiped or new devices will enrol automatically into Jamf Pro when going through the setup assistant. Yes and No, it depends. You can upload the profile to an MDM solution manually or configure and deploy it in Jamf Pro: You can upload a .mobileconfig file directly to your MDM solution or install it locally. !! However, in this post I want to go back to a very specific situation. 01-10-2020 — 128 Comments. First time with the key but second run overwrites it with empty file. Required fields are marked *, By using this form you agree with the storage and handling of your data by this website. *. The user enters their local password to unlock the disk. Be sure to select the proper version for 10.12 or 10.13 13. Your script can read it there and use it as password to tokenize your 2nd admin… question is… is all this really needed depending how often an admin really needs physical access to a machine… for which it would need a tokenized admin account. It’s basically nothing more than a 2 line script. What if I need a third account for management purposes? 2 users with tokens… let’s check to be sure!Our Jamf Connect Login provisioned STANDARD Account: But wait, what about the part saying it cycles the management account password to the recovery key…? Sorry, your blog cannot share posts by email. Compare to Mojave where it would get a token at FileVault enablement if the system was still tokenless. Since opening, have you heard anything? Root has no SecureToken, so the reset fails by lack of SecureToken unlock. I just tested and it does not write the key to the plist for me either. If not set to create, it will not create it. Just remember this is a personal blog, and not official documentation of any mentioned company or product. This doesnt work with users that are administrators. Add the above 2 keys to your JCL plists and you’re all set. The fact is, with this Account Payload added to the prestage, the following things happen: Now, in our scenario above, we create STANDARD accounts by logging into Jamf Connect Login. I got this working on a prestage enrollment and it works great. For related information about User Data Protections and FileVault, see the following Knowledge Base articles: Preparing Your Organization for User Data Protections on macOS 10.14 or Later. You are not demoting your users via any script, but actually skipping account creation via a Jamf Pro prestage – Accounts Settings. Yes, there they are again our beloved Secure Tokens! Nothing really changed anyway. Jamf Pro is comprehensive enterprise management software for the Apple platform, simplifying IT management for Mac, iPad, iPhone and Apple TV. The following diagram is an example shows how too many security measures at the login window can create a negative user experience. Finally we come close to the actual end goal of this post: understand the full authentication flow with Jamf Connect, when FileVault is enabled. While this is very valid as more and more of you will be upgrading your Mac environment, this is outside the scope of my post here. Well, no panic! The laps process is writing 2x to the file. Configure the following settings:a. hey again, just circling back on this. https://docs.jamf.com/10.25.0/jamf-pro/administrator-guide/Management_Accounts.html. So where does our recovery key go? So the LAPSUser is not available as an option in either the Jamf Pro Config option nor the Jamf Connect Configuration App. No problem! In the "App or Service" section, click Add.f. If you want to use Jamf Connect to create a standard local account that is FileVault enabled, you must use the Local Administrator Password Solution (LAPSUser) setting. And the creation of the 3rd account is easy with jamf policy. Our UID 501 user, being our Jamf Management account, although being an LOCAL ADMIN does NOT get a Secure Token either! Jamf runs from within a privileged binary. An existing local administrator account that Jamf Connect can change the password to the personal recovery key. FileVault / Encryption, Jamf Connect, macOS, Secure Tokens. ... Connect with Us. Understanding the macOS authentication flow with FileVault and/or Jamf Connect. Thanks for explaining that. Configuring a Privacy Preference Policy Control Payload on macOS 10.15 or Later, Uploading Privacy Preference Policy Control Settings Manually, Configuring and Deploying Privacy Preference Policy Control Settings with Jamf Pro, Enabling FileVault Standard Local Accounts, Configuring Settings with Jamf Connect Configuration, Network and Local Authentication Restrictions, Password Hash Synchronization and Pass-through Authentication, Preferences with the defaults Command-Line Tool, Editing the macOS loginwindow application, Troubleshooting Deployment with Automated Device Enrollment, https://github.com/jamf/Jamf-Connect-Resources/blob/master/Jamf-Connect-PPPC-FileVault.mobileconfig, Administering FileVault on macOS 10.14 or Later with Jamf Pro. Seems like for some reason, my deployment doesn’t write the recovery key to the file. Definitely possible, and quite easy. Hereby some screenshots to make this all a bit more visual: First all, make sure you create the management account in the ‘User-Initiated Enrollment settings’: A prestage with ‘Account Settings’ payload and skip user creation: Make sure a config profile is ready and scoped to all devices to enforce FileVault and Escrow the recovery key: Configure Jamf Connect Login according to your iDP, and make sure to add the LAPSUser and EnableFDE keys ! Again, for the reasons linked to the prestage above: our Management Account! Provision the Macs with Admin users, manipulate tokens by granting your Management or IT Admin account a token and demote your end user…. What if I just used JAMF to reset the “Admin” password ? In the case where the Mac was encrypted prior to being managed by Jamf Now, a few additional steps must be taken to get the FileVault recovery key stored in Jamf … Tired to reset it via JAMF but yeah I do see it doesn’t reset it due to secure token. While this might seem small, it’s one less step for the end user to take. Well, because of the existance of another local user with a UID above 500 ! Very helpful. Bootstrap is another solution which also gives Secure Tokens to mobile accounts. Earlier we had the “Jamf Management account” + additional admin account which could be created in the prestage. For related information about administering FileVault with Jamf Pro, see the Administering FileVault on macOS 10.14 or Later with Jamf Pro technical paper. 03-09-2020 — 0 Comments. The UIE settings in Jamf Pro also say “create management account IF it foes not already exist”. Unintentionally bypassing Jamf Connect—If Jamf Connect is installed on computers, the default macOS default automatic login behavior with FileVault may prevent the Jamf Connect login window from loading. ), Apple ecosystem enthusiast, geek, tech gadget freak, Belgian living in the Netherlands. Immediate FileVault encryption. 10-07-2020 — 0 Comments. It should only run fdesetup once, so a product issue. I keep hearing we should create separate plists but how do we scope that? I’d prefer to only keep the management account and user’s account but I have a few questions. Catalina still works fine though. Making the move to a cloud identity provider? Apple MDM requires an admin account to be created if you skip the user creation (for AD bind or jamf connect for instance). Depends. “diskutil apfs listcryptousers /” to see who has tokens !!! This would mean the account will get UID 80. Important Concepts Administrators using this guide should be familiar with the following Jamf Pro-related concepts: Deployment Smart computer groups Additional Resources So to me it makes sense we just use that. The only thing is, the account needs to exist already. As always, if you like this blog hit the like button, tell your friends about it and leave a message down below! Standard account can not enable FileVault without having a secure token and they don’t get one via Jamf Connect. If I select this field, I can create a local admin account. So how do we fix this situation? Frequent traveller? Account Provisioning Whether it’s during setup or in day-to-day use, Jamf Connect ensures a single identity is being used to access a user’s device and applications – without the need to bind to Active Directory. Jamf Connect Login and Enrollment Customization (Azure AD) 02-02-2020 — 56 Comments. Choose "Allow" from the Access pop-up menu.h. Well, I could not describe it better than what’s in the official documentation: So, ‘an already existing local administrator account’… this can actually be any existing local admin on the Mac, but as discussed above, our scenario and the discribed behaviour of our prestage actually makes or forces us to have the ‘Jamf Management Account’ on the system. Only the first created standard account will receive a SecureToken. Go to computers, then policies. Well, they actually never went away but after my final wrap up post a while ago, I decided to leave them as they are. Or planning to? Copyright Privacy Policy Terms of Use Security But, in our scenario above, we DO want a local admin with a Secure Token! It’s indeed confirmed as a product issue. Should this be the same credentials as the Jamf Management Account I filled in under “User-Initiated Enrollment”? I’ll give it a night sleep and play with it tomorrow. 14. For standard account you still need to enable it via LAPS for which the additional admin password will change. Imagine the following conditions: As discussed in my previous post, the fact of adding the ‘Accounts Settings’ payload in the prestage, changes the behaviour of the Management Account creation. Am i being silly when I think it is weird that this key is not selectable at all? As Jamf binary does not use any account to run policies (not even the Jamf Managed account) it is technically impossible. I’m planning to push the enrollment profiles via Apple School Manager, so am I correct that “Automated Device Enrollment” applies here, not “User-Initiated Enrollment”? But is it now really the password of our Management Account? Click the Privacy Preferences Policy Control payload and then Configure. By turning on this feature, Jamf Now will turn on FileVault and also store a recovery key. Re: using the script to read the plist and the path to recovery key. That said, yes, what does it do? Your email address will not be published. And I was excited at first that this article was going to solve that! You are creating the Jamf Management account to fit the purpose of the local admin here above. 12. Jamf Connect with ADFS Federation and AllowCloudPasswordValidation. It’s so easy! If you leave the end user creation with JCL at standard, it won’g get a token. Make sure all of your variables were entered in correctly then save the script. An institutional recover key will nott help here. Enable FileVault 2 through JAMF Pro. Jamf, Jamf Connect, Poll. Instead of using an individual key, can we set it for institutional key and accomplish having the “same” password on each computer? Question: does this reconcile the password if the FV key changes? You provision your Macs with Standard Account using Jamf Connect Login. Let’s check in Jamf!Yes, our recovery key is there…. You can download this configuration from Jamf's GitHub repository or configure and deploy it with Jamf Pro. The first one will overwrite the second one but will this have consequences for the UniqueID of the user? The first cert has been issued with a 100% pass! Different prestage and smart group based on prestage would be only option imo. However, please note that if this user gets a secure token, it will be visible on every reboot if FileVault is enabled. Jamf Connect Login and Hybrid Azure AD / ADFS. Deploy a Mac via a prestage enrolment, provision it with Jamf Connect Login, skip account creation and your Standard User, as well as your Jamf Management Account will be tokenized and FileVault enabled! If you want to use Jamf Connect to create a standard local account that is FileVault enabled, you must use the Local Administrator Password Solution (LAPSUser) setting. By Malcolm Owen Thursday, January 23, 2020, 07:16 am PT (10:16 am ET) Apple device management platform provider Jamf is improving the integration of its Jamf Pro and Jamf Connect products, connecting the two with new features relating to configuration and enrollment workflows to make it easier for administrators to use, while simultaneously improving […] If FileVault is enabled, the user must complete an additional authentication step to unlock the computer disk before the Jamf Connect login window can display. By Malcolm Owen Thursday, January 23, 2020, 07:16 am PT (10:16 am ET) Apple device management platform provider Jamf is improving the integration of its Jamf Pro and Jamf Connect products, connecting the two with new features relating to configuration and enrollment workflows to make it easier for administrators to use, while simultaneously improving… Doing this out of free will: sharing is caring. Because the reset command does not authenticate with a SecureToken admin, it uses the root privileges of the Jamf Binary. But because LAPS is changing that to match the recovery key… the Jamf Pro database does not have the new password info of the management account.