Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After a macOS update/upgrade, Escrow Buddy is no longer in the authorization database. #22297

Closed
F1Feng opened this issue Sep 23, 2024 · 5 comments · Fixed by #22298
Closed

After a macOS update/upgrade, Escrow Buddy is no longer in the authorization database. #22297

F1Feng opened this issue Sep 23, 2024 · 5 comments · Fixed by #22298
Assignees
@georgekarrv
Labels
bug Something isn't working as documented #g-mdm MDM product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
4.58.0

Comments

@F1Feng
Copy link
Contributor

F1Feng commented Sep 23, 2024
edited
Loading

Fleet version: v4.55

💥  Actual behavior

After a macOS update/upgrade, Escrow Buddy is no longer in the authorization database.

🧑‍💻 Steps to reproduce

  • MDM enroll
  • Mac OS Update to new version(eg: 14.5 to 15.0)
  • MDM unenroll -> MDM enroll
  • then Disk encryption function not work.(the file: /var/db/FileVaultPRK.dat will not found.)

🕯️ More info

Some macOS updates and upgrades reset the authorization database to its default state, which will deactivate Escrow Buddy and prevent FileVault key generation upon next login.

Although this behavior adds friction to administering Escrow Buddy on your Macs, it's actually a great opportunity to test new macOS versions and ensure Escrow Buddy (or any authorization plugin) works as expected before reflexively re-enabling.

Once you've tested and are confident that Escrow Buddy works with the versions of macOS your company Macs are running, you can run this command (in root context) to re-enable Escrow Buddy in the authorization database:

/Library/Security/SecurityAgentPlugins/Escrow\ Buddy.bundle/Contents/Resources/AuthDBSetup.sh

Tips for configuring this on various MDMs can be found in the Examples wiki page.

Also see this related blog post: Managing login mechanisms in the macOS authorization database
@F1Feng F1Feng added :incoming New issue in triage process. :reproduce Involves documenting reproduction steps in the issue bug Something isn't working as documented labels Sep 23, 2024
F1Feng added a commit to F1Feng/fleet that referenced this issue Sep 23, 2024
@F1Feng
fix: fleetdm#22297 re-enable Escrow Buddy in the auth-db
b951f8a
@F1Feng F1Feng mentioned this issue Sep 23, 2024
Merged
@georgekarrv georgekarrv added the #g-mdm MDM product group label Sep 23, 2024
@georgekarrv
Copy link
Member

Thanks for sharing and thanks for the PR. We'll take a look at this today or tomorrow!

roperzh pushed a commit that referenced this issue Sep 24, 2024
@F1Feng
fix: #22297 re-enable Escrow Buddy in the auth-db (#22298)
aa38b10 
fix: #22297 re-enable Escrow Buddy in the auth-db
@fleet-release
Copy link
Contributor

OS update resets,
Buddy's key, once lost, now found.
Secure, smooth sail set.

@roperzh roperzh added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release. and removed :reproduce Involves documenting reproduction steps in the issue :incoming New issue in triage process. labels Sep 24, 2024
@roperzh roperzh self-assigned this Sep 24, 2024
@roperzh roperzh reopened this Sep 24, 2024
@lukeheath lukeheath added this to the 4.58.0-tentative milestone Sep 24, 2024
@PezHub
Copy link
Contributor

PezHub commented Sep 26, 2024

QA Notes:

  1. enrolled a previously encrypted mac running 14.4.1 to Fleet
  2. confirmed the FV key was rotated and escrowed in Fleet
  3. confirmed the presence of the escrow buddy plug-in /Library/Security/SecurityAgentPlugins and /var/db/FileVaultPRK.dat on the host
  4. Upgraded the host to macOS 15
  5. unenrolled and confirmed /var/db/FileVaultPRK.dat was no longer present
  6. re-enrolled host and can confirm presence of file and FV was rotated and escrowed in Fleet

@F1Feng
Copy link
Contributor Author

F1Feng commented Sep 27, 2024
edited
Loading

QA Notes:

  1. enrolled a previously encrypted mac running 14.4.1 to Fleet
  2. confirmed the FV key was rotated and escrowed in Fleet
  3. confirmed the presence of the escrow buddy plug-in /Library/Security/SecurityAgentPlugins and /var/db/FileVaultPRK.dat on the host
  4. Upgraded the host to macOS 15
  5. unenrolled and confirmed /var/db/FileVaultPRK.dat was no longer present
  6. re-enrolled host and can confirm presence of file and FV was rotated and escrowed in Fleet
    

Hi @PezHub , Thank you for your reply.

Perhaps auth db reset doesn't always happen,I think you can try resetting auth db use below command (simulating auth db reset after Mac OS update)

sudo security authorizationdb reset

Next step

  • unenrolled MDM
  • re-enrolled MDM and confirm
    
    I think the disk encryption will not work.

@fleet-release
Copy link
Contributor

With each Mac update,
Buddy fades, then shines anew,
Keys secure, trust innate.

@georgekarrv georgekarrv removed the :demo label Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@georgekarrv georgekarrv

Labels
bug Something isn't working as documented #g-mdm MDM product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
4.58.0
Development

Successfully merging a pull request may close this issue.

fix: #22297 re-enable Escrow Buddy in the auth-db F1Feng/fleet
6 participants
@georgekarrv @lukeheath @roperzh @fleet-release @F1Feng @PezHub