Moving Users from Casper 8 to Casper 9 with FV2

sido_oleg
New Contributor

We need to move users from Casper 8 server to Casper 9 server and be able to transfer individual file vault key. Has anyone successfully done this with 10.8 machines? When we move the machines over we lose the FV2 Recovery key, we tried to run script on machine and then recon that should have sent the key to casper 9 but it did not. Is there a preferred method to do this?

3 REPLIES 3

mm2270
Legendary Contributor III

You can only do this by upgrading the existing database that contains the FV2 keys. If you're having machines moved over by re-enrolling them in the new JSS, you're going to lose the Recovery keys. The keys are only picked up from a local xml file that the Disk Encryption configuration creates when it enables FV2 on the Mac. Once it gets scooped up into the database by a recon, it gets deleted (for security reasons I'd imagine) That's why a recon afterwards does not pick up the key again. It just isn't there for the jamf binary to pick up.

You should consider a different approach, such as installing Casper Suite 8.x on a new box, importing a backup of the existing database to that server, then doing the upgrade to JSS 9.x on that system and switch the two server names/addresses so your Macs begin communicating in to the new server, and will retain the recovery keys.
If that's not a viable option for you. I'd talk to your account rep about what else might be possible. I do think the only valid way to keep the keys is to upgrade an existing db that has them though.

spotter
New Contributor III

@sido.oleg][/url - i'm in the process of doing the same thing, however the only difference is i'm moving clients from 9.32 to 9.6. My reason for the change is hardware to clean things up. My current production JSS resides on a xserve and my new production 9.6 JSS resides on a new Mac Pro.

I spoke to several people regarding this at the JNUC and a lot of good ideas, however reaching out to the great support team at JAMF they provide me a possible solution. I'm going through the testing process today and will report back if successful.

spotter
New Contributor III

I just finished my testing and once again JAMF Support comes to the rescue!!!

To have the key captured and stored in the JSS it requires 2 steps...

First create a Configuration Profile with the following settings:

Distribution Method = Install Automatically Level = Computer Level FileVault Recovery Key Redirection = Automatically redirect recovery keys to the JSS

Then the script (which is where the magic happens)...

I created a policy and made it available within Self Service so the user can run at his/her leisure since it prompts for their login password.

just make certain the Configuration Profile gets applied before you execute the script on the device
#!/bin/bash

####################################################################################################
#
# Copyright (c) 2013, JAMF Software, LLC.  All rights reserved.
#
#       Redistribution and use in source and binary forms, with or without
#       modification, are permitted provided that the following conditions are met:
#               * Redistributions of source code must retain the above copyright
#                 notice, this list of conditions and the following disclaimer.
#               * Redistributions in binary form must reproduce the above copyright
#                 notice, this list of conditions and the following disclaimer in the
#                 documentation and/or other materials provided with the distribution.
#               * Neither the name of the JAMF Software, LLC nor the
#                 names of its contributors may be used to endorse or promote products
#                 derived from this software without specific prior written permission.
#
#       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
#
#   The purpose of this script is to allow a new individual recovery key to be issued
#   if the current key is invalid and the management account is not enabled for FV2.
#   
#   This script will prompt the user for their password so a new FV2 individual
#   recovery key can be issued.
#
####################################################################################################
# 
# HISTORY
#
#   -Created by Sam Fortuna on Sept. 5, 2014
#
####################################################################################################
#
## Get the logged in user's name
userName=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`

## Get the OS version
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" != "${userName}" ]; then
    echo "This user is not a FileVault 2 enabled user."
    exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
    echo "The encryption process has not completed."
    echo "${encryptCheck}"
    exit 4
fi

## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass="$(/usr/bin/osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

echo "Issuing new recovery key"

if [[ "$OS" < "10.9" ]]; then
    echo "OS version not 10.9+ or OS version unrecognized"
    echo "${OS}"
    exit 5

elif [[ "$OS" = "10.9" ]]; then

    ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
    expect -c "
    log_user 0
    spawn fdesetup changerecovery -personal
    expect "Enter a password for '/', or the recovery key:"
    send ${userPass}
    log_user 1
    expect eof
    "
fi

exit 0