Exporting FileVault 2 Keys from JAMF
Learn how to access Filevault 2 recovery keys from the JAMF JSS.
One of the biggest benefits of using an endpoint configuration service like fleetsmith.io or JAMF is the simplified Filevault 2 key escrowing. This is great from an operations perspective as it allows you to remotely store and access decryption keys, however you become locked-into your vendor to maintain access to this data without significant manual work or operational overhead. Due to the importance these keys have within the context of security, vendors generally add significant cost to the process of retrieving these keys.
To streamline our operational overhead, we needed a way to quickly grab recovery keys from both a CLI and web-service. The JAMF JSS does not natively support retrieving this data from the API which has frustrated system administrators and engineers for years.
Still under review for more than 4 years now, but no real movement on it that I’ve seen? I wonder if this will ever happen. It’s disappointing that we still don’t have a way to pull these out or access them via the API. -mm270
There are several articles citing the need for this functionality, but we’ve included a taste from one such post dating back to 2014:
Luckily, no problem is unsolvable! We threw together this repository which adds the requested functionality to a command-line utility, written in Python (for all you client engineers). It also supports importing by using from keysword import main and passing two parameters, computer_id, computer_name. One other catch to callout, it’s not using just the API but also the web interfaces’ AJAX methods (remember that from the 2000's?)
What other configuration management functionality and information do you expect to have API access to?
Member discussion