FV2 Archives - Mr. Macintosh

How To Regenerate a New FileVault 2 Personal Recovery Key (PRK)

MrMacintosh.com - How To regenerate a FileVault 2 Personal Recovery Key. — How To reissue a FileVault 2 Personal Recovery Key

It’s good practice to have a backup of important things in your life. You wouldn’t only keep one set of keys to your house or car. The same goes for your FV2 Encrypted Mac. The FileVault Personal Recovery Key is your backup key to your Mac. If your account password is not working or if you can’t remember the password, the Recovery Key will be the only way to get to your data.

Two Different Types of FileVault 2 Recovery Keys

When encrypting your Mac, you have two different types recovery key options.

(PRK) Personal Recovery Key – Every Mac has a unique Recovery Key.
(IRK) Institutional Recovery Key – One Recovery Key for every Mac

While it may be convenient to have one key for every Mac, having a Institutional Recovery Key is like having a Master Key to an Apartment Complex. If that key is stolen or lost, the bad guy has a key to every single apartment unit. The same thing goes for the (IRK) if one user has the key, it’s known for every single Mac.

The PRK is the way to go, as each Mac has a unique key.

I previously wrote about how to use the PRK to recover data from a Mac using Target Disk Mode.

https://mrmacintosh.com/filevault-2-target-disk-mode-unlock-using-the-personal-recovery-key/

Why Would Would I Need to Change my Personal Recovery Key?

Here are a few reasons why you might need to reissue or generate a new FileVault 2 Personal Recovery Key.

1. The Computer Record was deleted from your MDM.
2. The MDM Recovery Key Entry is corrupted.
3. The Recovery Key is not working.
4. The PRK is given to a user and you want to cycle and protect it.
5. The PRK user is missing, or the ? mark is not showing at FV2 login.
6. If you need to reenroll a Mac into a different MDM.

A good example of #2 is when Jamf Pro 10.7.1 screwed up the recovery key display in every computer record. This defect was fixed in Jamf Pro 10.10.

https://www.jamf.com/jamf-nation/discussions/31910/filevault-2-personal-recovery-key-issue

Reissue the FileVault 2 Recovery Key with FV2 Enabled Username and Password

To generate a new FileVault 2 Personal Recovery Key we will be using the fdesetup binary.

First you can check to see if your Mac is using a PRK or IRK.

sudo fdesetup haspersonalrecoverykey = true or false

sudo fdesetup hasinstitutionalrecoverykey= true or false

Now we can change the recovery key using username and password.

sudo fdesetup changerecovery -personal

Enter the user name:mrmacintosh

Enter the password for user 'mrmacintosh':

New personal recovery key = 'Z5V7-K464-PEVT-09OX-Q2EW-8FO8'

This works for 10.13 – 10.15

Reissue the FileVault 2 Recovery Key using the Current Personal Recovery Key (PRK)

Staring in 10.14, you can now use the current Personal Recovery Key to generate a new PRK.

You will be using the UUID of the Personal Recovery User and the current PRK as the password.

Find the UUID of the Personal Recovery Key User

sudo fdesetup list -extended

ESCROW UUID TYPE USER

0A1BCDC3-49BD-4E00-B741-813E143AD1E2 OS User mrmacintosh

EBC6C064-0000-11AA-AA11-00306543ECAC Personal Recovery Record

Note: The UUID of the Personal Recovery User is the same very every FV2 Encrypted Mac.

Let’s change it.

sudo fdesetup changerecovery -personal

Enter the user name:EBC6C064-0000-11AA-AA11-00306543ECAC

Enter the password for user 'EBC6C064-0000-11AA-AA11-00306543ECAC':

New personal recovery key = 'Z5V7-K464-PEVT-09OX-Q2EW-8FO8'

For the password field, all we need to do is enter in the current FV2 PRK.

NOTE: If you want to send the Recovery Key to Jamf Pro, you need to run Recon twice.

Running commands are great for 1 or 2 Macs, but what if I have to fix more than that?

The guys at HCS Technology Group wrote up an excellent article showing us how to create a policy for this. The policy will search for all Macs that do not have a valid recovery key and will remediate with a script kicked off by a Jamf Policy.

https://hcsonline.com/images/PDFs/Jamf_Recovery_key_Filevault.pdf

Credits

Hat Tip goes out to Johan McGwire aka yohan on #MacAdmins. He brought up the 2nd way to reissue the Personal Recovery Key with the current PRK. Johan the expert behind the following projects. Check them out!

Also HCS Technology Group, I can’t say enough about these guys. They have written some of the best MacAdmins guides available today!

Get the full list HCS White Papers, visit this link.

http://hcsonline.com/support/white-papers.

Follow them on Twitter! https://twitter.com/HCSTechnology

FileVault 2 Target Disk Mode Unlock Using the Personal Recovery Key

Do you need to recover user data with Target Disk Mode, but you don’t have the user’s FileVault 2 password?

I will show you how to unlock FileVault 2 after you connect the Mac using Target Disk Mode. This can be very helpful for IT Departments that need to access user data when an employee is let go and you don’t have the user’s password.

How to boot a Mac into Target Disk Mode (TDM)

Think of Target Disk Mode as if you are turning your Mac into an External Hard Drive. Once you plug the Target Mac into the host Mac using a USB/Thunderbolt Cable you can access all of the Target Mac’s files on the Host Mac. It’s really a great tool for moving data, especially useful for fast file backup, transfers or data recovery.

MrMacintosh.com - Apple's instructions for how to Boot your Mac to Target Disk Mode. — Apple’s instructions for how to Boot your Mac to Target Disk Mode.

support.apple.com/guide/mac-help/transfer-files-computers-target-disk-mode-mchlp1443/10.14/mac/10.14

Mounting the and unlocking the drive.

Once you have booted your Mac into Target Disk Mode and it’s pluged into the host Mac you will be see a GUI message after a few moments.

MrMacintosh.com - This is a Target Disk Mode unlock message above is for a T2 Mac. You will get this if you are encrypted or not encrypted with a password. — The unlock message above is what you will see with a T2 Mac. You will get this message if you are encrypted or not encrypted with a password. The users listed will be securetoken enabled users.

MrMacintosh.com - FileVault 2 Target Disk Mode GUI unlock pop-up. — FileVault 2 Target Disk Mode GUI unlock pop-up for a non T2 Mac.

If the Mac is not encrypted and doesn’t have a T2 the drive will just mount as Macintosh HD on the Desktop.

If you know the user’s password, type it in and the drive will mount.

Attempting to unlock FileVault 2 TDM “diskutil apfs unlockVolume -passphrase”

You may have used this command in the past if you needed to unlock FileVault in the Recovery Partition.

diskutil apfs unlockVolume /dev/apfs_volume_id_goes_here -passphrase personal_recovery_key_goes_here

Rich Trouton wrote a great article on how to unlock FileVault 2 in the Recovery Partition. You can find that article here.

derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/

You would think we could use the same command to mount the drive with TDM. Let’s try it.

MrMacintosh.com - Attempting to unlock Macintosh HD in TDM mode using diskutil apfs unlockVolume /dev/disk3s5 -passphrase — Attempting to unlock Macintosh HD in TDM mode using diskutil apfs unlockVolume /dev/disk3s5

Trying to use the following command.

diskutil apfs unlockVolume /dev/disk3s5 -passphrase _recovey_key_here

Will give the error

Error unlocking APFS Volume: APFS Volume Target Disk Mode Unlock requires that you supply a specific user (-69486)

The GUI unlock pop-up only has the option to unlock with user’s password.

Gathering the information that you need to unlock the drive using the Personal Recovery Key.

Let’s get started. You will only need 3 things.

APFS Volume ID
UUID of the Personal Recovery User
FV2 Personal Recovery Key

First let’s get the APFS Volume ID of the Target Mac. On the host Mac run this command in the Terminal.

diskutil apfs list

Look all the way at the bottom for Name: Macintosh HD You will also see Mount Point: Not Mounted and FileVault: Yes (Locked)

MrMacintosh.com - The Volume ID section you are looking for that shows the APFS Volume Disk (Role) — *The Volume ID section you are looking for that shows the APFS Volume Disk (Role)*

You will need to grab disk4s5 from APFS Volume Disk (Role) This is the Target Mac’s Volume ID.

2. Get the Personal Recovery User UUID

Run this command to get the UUID of the Personal Recovery User. Don’t forget to put the Volume ID that you grabbed above in apfs_volume_id_here

diskutil apfs listUsers /dev/apfs_volume_id_here

MrMacintosh.com - Getting the UUID of the Personal Recovery User. — Getting the UUID of the Personal Recovery User.

3. Personal Recovery Key

Now that you have the all 3 things we can now unlock the drive.

Unlocking the Drive using the Personal Recovery User and Personal Recovery Key.

Let’s unlock the drive! The command is

diskutil apfs unlockVolume /dev/disk_volume_ID_here -user personal_recovery_user_UUID_here

MrMacintosh.com - Unlocking the drive with the PRK and Personal Recovery User. — Unlocking the drive with the PRK and Personal Recovery User.

After typing in the command you will have a prompt that says Passphrase. Paste or type the Mac’s Recovery Key in and hit enter.

NOTE: for the PRK you have to include all the dashes and use all CAPS.

If you don’t you will get this error

Passphrase incorrect or user does not exist

Once you type in the correct PRK you will be see this message.

Unlocked and mounted APFS Volume attached via Target Disk Mode

Copying Files

One last note if you need to copy files from the user’s folder. If you navigate to the user’s folder and see that you do not have permission to view Desktop, Documents or Downloads. This is not a problem.

MrMacintosh.com - Permission to view is denied. No problem just copy the entire user folder over. — Permission to view is denied. No problem just copy the entire user folder over.

All you need to do is copy the entire user folder over to the Host Mac. You will be prompted to enter in an admin password. This is the admin password on the Host Mac not the Target Mac. Once the User folder is copied over you will have access to all files.

Thanks

I wanted to thank someone who clarified this procedure and also helped test to make sure it worked.

Thank you Mr. Anonymous!!!

I hope this article has helped you. If you have any questions or comments please don’t hesitate to Contact Me.

Mojave 10.14.4+ will now sync your AD password to FileVault if forgotten

If you use Active Directory Mobile Accounts with FileVault, password sync problems will be very familiar to you. I have good news, MacOS Mojave 10.14.4-10.14.6 can now sync AD Mobile Account password changes to FileVault when you don’t know the AD password. Apple added this new feature to macOS 10.14.4 for Mobile Accounts. In previous releases, you needed the old password to sync the password down to FileVault. Local Accounts has had this ability for years. Rich Trouton put together a great article on Resetting and Syncing FV2 Local account passwords. He mentions the methods are only for Local Accounts, NOT Mobile Accounts.

You forgot your AD password on 10.13.0-10.14.3

Users who fall into this situation are in a pinch and options to get the system to sync the new password to FileVault are limited. You could boot the system up using the PRK (Personal Recovery Key) and then have the Help Desk reset the AD password. This would get you into the system but your FV2 password would never sync. You will be forced to continue to unlock the Mac with the PRK (Personal Recovery Key), then login with the new AD password.

The only way to fix this was to have a SecureToken Admin on the system.

Do you have an admin support account that is FileVault/SecureToken enabled? Listed below are two methods to fix out of sync passwords.

1. fdesetup remove / re-add user

sudo fdesetup remove user userwhoforgotpass.

Then re-add the user by running

sudo fdesetup add user localadminuser -usertoadd userwhoforgotpass

What this would do is remove the user from the enabled FileVault user list, then add them back. The sync would happen when you are prompted for the new password when re-enabling the account for FileVault unlock.

2. Sysadminctl -secureTokenOff/On

You can also use sysadminctl. Start by turning off SecureToken and then turn it back on.

sysadminctl -secureTokenOff userwhoforgotpass -password – -adminUser localadmin -adminPassword –

Now turn SecureToken back on.

sysadminctl -secureTokenOn userwhoforgotpass -password – -adminUser localadmin -adminPassword –

The process of turning off SecureToken and then turning it back on will sync the password. Also note that you don’t have to run sysadminctl with sudo.

Problem is, some companies don’t want a FileVault enabled admin account on the system.

NOTE: diskutil apfs updatePreboot / – Does NOT sync the password!

Running diskutil apfs updatePreboot / does NOT sync the password from the OS to FileVault. If this worked in the past, it was only a coincidence. If you changed your AD password outside the Mac, password syncing to FileVault would sometimes take 2-3 restarts. This command is only really needed when you wanted to add a new FileVault user to the system. Running this command would then add the new user to the FileVault pre-boot window. You only had to run this command in 10.13. This was actually a bug and was fixed in 10.14. The new account will now automatically show up at the FV2 pre-boot window after creation.

Enter the 10.14.4 update.

I can’t file this under my previous article 3 undocumented macOS Mojave 10.14.4 Enterprise fixes. This fix was actually documented in the Enterprise Content article for 10.14.4. The problem is the wording is a little confusing, but does kind of make sense.

Reading the third line, it does seem to match our situation. If you forgot your AD password, you would have to continually unlock the Mac with the PRK. You would be forced to do this each time you turned on your Mac or restarted. Notice the wording, it does not say “Fixes”.

How to reset your AD mobile account password and have it sync to FileVault, when you don’t know the previous password.

You need to meet all of the following pre requisites.

macOS Mojave 10.14.4 or newer.
Active connection to Active Directory.
Access to the PRK (Personal Recovery Key)
You have the ability to change your password outside the Mac (2nd Mac, Windows PC, or Web Portal). Or the Help Desk can reset and issue you a temporary password which you can then use to set a new password at the loginwindow.
FileVault Automatic Login enabled

Step 1. Boot Mac with the Personal Recovery Key.

Since you don’t know the previous password you can’t even get past the FileVault Unlock Screen. You will need access to the PRK. Click the user who needs their password reset. In the password line, you will now see a ? button. Click on it, you can now type in the Personal Recovery Key. Try this neat trick to get the Macs serial number. Click the ? a second time.

Pretty neat trick so users can tell the Help Desk the Macs serial number. (Key Escrow or MDM required).

After booting the system with the Personal Recovery Key the process will stop at the login window. On 10.13.0-10.14.3 systems you are prompted to reset the password at the login window.

Mobile Account Password reset pop-up for 10.13.0-10.14.3 systems after booting with the PRK.

This feature is for Local Accounts Only. To change your AD Mobile Account password from the Mac you must give Active Directory the OLD password. You can only do this with System Preferences > Users & Groups > “Change Password” or dscl. As you can see above the interface does not have a box for Old Password.

10.14.4 will now show a new pop up for Mobile Accounts after booting with the PRK.

This is the new 10.14.4 Mobile Account password reset message, but you still can’t reset the AD password here.

The Mac now realizes that you are trying to reset a Mobile Account Password. You will no longer see the Reset Password pop up. This is because AD requires that you enter in the OLD password. Since you don’t know it, you will not be able to reset your password. This is why macOS will not show you the password reset window anymore for mobile accounts. If you use the PRK from a Local Account you will get password reset window with password fields like you would normally expect.

Step 2. Reset the AD Password.

As noted above you for this to work you can reset your AD password one of two ways.

Call the Help Desk and have them reset the password and then issue you a temporary password.
Reset the password on a 2nd Mac, Windows PC, Web Portal etc.

Either way will work for the password change system to work.

If you called the Help Desk and had them reset your AD Password they can now give you a temporary password. Your account will be flagged “Password must be changed on next login“. Enter in your username and then type in the temporary password. Hit enter and you will now get a new pop up window.

Enter in your new password. Click Reset Password when ready. You will be greeted with the login keychain message. You will receive this message anytime you change the password outside the Mac. Click “Create New Keychain” and the Mac will continue to login.

Step 3. Restart to complete the FileVault sync.

You will need to restart at least one more time to complete the sync process.

On this next restart you will need to enter in the PRK ONE MORE TIME.

NOTE: I am still trying to figure out if having to use the PRK twice is a bug or not. I think it is because you don’t have to do this extra step with local accounts.

After you perform one last PRK boot, enter in the username and new password and you will be at the desktop once again. The process is now complete, you can restart to confirm. Use your new AD password to unlock the volume and the system will now auto boot you to the desktop.

Conclusion

This is my 3rd article on password fixes/improvements/problems in 10.14.4

macOS Mojave 10.14.4 update fixes AD Mobile Account/FileVault password change sync issue.

10.14.4 Update breaks local account password reset when using FileVault Recovery Key

MacAdmins who use Active Directory Mobile Accounts want a working password change system that functions seamlessly with FileVault. Now that we have a working native AD Plugin, will this stop the mass exodus to Local Accounts? Only time will tell.

3 Undocumented macOS Mojave 10.14 Enterprise Fixes

In this article, I will talk a little bit about the current state of Apple’s Documentation. After that, I will show you 3 Undocumented 10.14 Mojave fixes that can help you as a MacAdmin.

Documentation, Documentation, and Documentation. Say it three times fast! MacAdmins just want Apple to provide proper documentation for features, controls and security settings and Enterprise Fixes. In some cases, Apple provides excellent documentation. An example of this would be the T2 Security Chip Security Overview released in October of last year. In other cases when it comes to binaries like sysadminctl not so much.

I tried to searching for something that specifically mentions SecureToken or sysadminctl and came up empty.

The best that I could find was a document called “If you see authentication server errors when turning FileVault on in macOS High Sierra“. This article does not even mention SecureToken. You can get a few nuggets of information by checking the sysadminctl binary options but sysadminctl doesn’t have a man page. I even performed a search on developer.apple.com/documentation as you can see in the picture above. I will be writing about sysadminctl next week. Maybe I can create a MacAdmins version of a sysadmincatl man page! Yet when I search for “SmartCard” three documents show up. SmartCard support is a small piece in the overall macOS pie, yet has multiple documents! Side Note: Shout out to all my peeps in the MacAdmins.slack.com #SmartCard channel (about 5 people) 🙂

Documentation is getting better.

If you have been keeping track, Apple documentation is getting better. If you look at the “What’s new in the updates for macOS Mojave” page you will see a large number of fixes. Eagle eye MacAdmins will be first to spot “Enterprise Content”, this is the stuff MacAdmins are interested in.

10.14.2

10.14.3

10.14.4

Check out that first one under 10.14.4! As noted in my previous article, I fought to get that one fixed since 10.14.0. It’s really great to see that fix get mentioned in the Enterprise Content area.

What do you mean undocumented fixes ?

Apple is constantly fixing things behind the scenes. MacAdmins continue to file radars, call Apple Care, test beta releases, submit feedback and submit Apple Enterprise Support tickets. Defects and bugs ARE getting fixed but are not listed in Apple’s Enterprise Content listing. I am not totally sure why certain fixes do not make the list.

Maybe Apple wants to keep the list short while focusing on the major fixes. I wish Apple would list more of them, even if they posted them in an enterprise only area. An example of this would be AppleSeed for IT. If you are part of an Enterprise or School you can be selected to join the program. I highly recommend joining if you are not a member already. You can read the FAQ about joining eligibility here. Inside you will find links to macOS beta downloads and beta documentation. Each beta release (Sometimes up to 6 releases per combo update) will show what has been fixed between updates. This is great information for any MacAdmin to have so you can stay on top of what’s going on.

3 Apple Enterprise fixes included in 10.14.0 – 10.14.4

1. macOS 10.14 Mojave can now provide FV2 Authenticated Restarts for Combo and startOSinstalls.

In 10.14 macOS Updates and Upgrades are now able to perform Authorized Restarts. This feature was not an option in previous releases. This is a pretty big deal, especially for #MacEDU and Enterprise customers who have computer labs.

Previously if you installed a macOS update and the system was FV2 encrypted it would restart but STOP at the FV2 unlock screen. If you performed this update remotely you would lose control of the machine. Things get worse at FV2 login window because firmware will shut the Mac down after 5 minutes of inactivity. The same problem will happen when you start a macOS Upgrade. You will be disappointed after returning from lunch thinking the update is complete only to find the Mac turned OFF. You then power the Mac back on only to find the installer has just started with 40 minutes remaining. With 10.14 if you kick off a combo update or macOS upgrade the installer will perform an Authorized Restart and you will never get stuck at the FV2 prompt again!

For startosinstall you just have to store the mojave.app in a folder like /Users/Shared. Then kick it off with this command – sudo /Users/Shared/Install\ macOS\ Mojave.app/Contents/Resources/startosinstall –nointeraction The –nointeraction option will prevent license agreement message.

2. Installing software updates using the -R restart option at the login window now properly restarts the Mac to the installer. (10.14.4)

When Apple released the T2 security chip they also added additional options to the softwareudpate binary so it could handle BridgeOS updates. Installing a combo update on a T2 Mac is now a multi-step process. Using softareupdate step one remains unchanged, it will download the combo update from Apple which in turn stores in /Library/Updates. For step two, the Mac reaches out to Apple’s personalization service (gs.apple.com) verify the BridgeOS and combo update. When the verification is complete you will have a new folder in /Library/Updates called PersonalizedManifest.

You are automate the entire process by using sudo softwareupdate -iaR. Options -i will install the update, -a will download all updates and -R will perform an automated restart. The process works just fine if you are the logged in user. If the system needs to update the BridgeOS the Mac will shutdown and then will power back on with the T2 Chip to install the BridgeOS update. If the system does not require a BrigeOS update the system will restart to the update installer. The problem comes in if you try to automate the install from the login window using the softwareupate -R or –restart option. Softwareudpate will run run through the process listed out above only to stop at the very end and be unable to restart.

Looks great until the very end, when at the login window the system will NOT restart!

Once all your Macs are updated to 10.14.4, you can now use the -R restart for all situations. Softwareupdate can now restart the Mac if it’s at loginwindow.

3. 10.14 FV2 Authorized restarts can use the PRK (Personal Recovery Key) again.

When 10.13 arrived you could no longer perform FV2 Authenticated restarts using the PRK (Personal Recovery Key). This feature was just flat out broken. This previously worked in 10.12 Sierra and below. NOTE: You could still perform an Authorized restart with your FV2 name and password. An example of a PRK Authorized restart would be if you are a JAMF Pro customer and had a policy that installed a package but it also required a restart. You could select the option “Perform Authenticated Restart” Jamf would then send a fdesetup authrestart using the PRK. The package would install and then the system would perform an FV2 authorized reboot so the user did not have to enter in the password at the FV2 unlock screen.

10.12, 10.11 & 10.10 – Works!

sudo fdesetup authrestart = Enter a password for ‘/’, or the recovery key:

10.13 – Doesn’t work

sudo fdesetup authrestart = Enter the user name: ( hit the enter key to toggle Recovery Key Entry) = Error: Missing user name. Error: Unable to restart (error = -54).

10.14 – Works again!

sudo fdesetup authrestart = Enter the Username: (again hit the enter key to toggle Recovery Key Entry) Enter the current recovery key:

I hope that at least one of the fixes I mentioned in this article helps you. In the future I would love to see more documented Enterprise fixes listed in the combo update patch notes. Until then though, I will continue to document said fixes and let you know about them when I can.

If you have any questions or comments, please feel free to reach out!