I have a Cocoa application on OSX, which manages FileVault Disk Encryption on behalf of the user and reports back the recovery key to a server once the recovery key is generated. However, if the user changes the recovery key using 'changerecovery' command, is there anyway to listen to this event and obtain the recovery key so as to update the server?
Asked
Active
Viewed 93 times
1
-
I've documented some resources at http://apple.stackexchange.com/a/248823/5472 in response to basically the same question. Are you looking to use the MDM frameworks in OS X or basically just co-exist along side them? – bmike Aug 09 '16 at 10:34
1 Answers
0
As an alternative solution, have you considered using an institutional FileVault recovery key? With this method, you create a single key, install it on every machine that you manage, and then you can use that key to unlock the machine. This key is independent of the user's own recovery key.
There are directions here to create and deploy an institutional key: https://support.apple.com/en-us/HT202385. In addition to the manual deployment steps described in that support document, you can automatically deploy and enforce your institutional key using macOS/OS X Server Profile Manager so that it cannot be removed by the user. Instructions to do that are available here: http://impdossier.blogspot.com/2015/12/enable-file-vault-by-profile-manager.html
Jack Lawrence
- 10,664
- 1
- 47
- 61