How to Create a Institutional Recovery Key for use in Profile Manager on Mavericks Server

Does the OS X: How to create and deploy a recovery key for FileVault 2 tech note (HT5077) help? (If you've already seen that and it's not helping, is there something about that tech note that is missing or confusing here, so that somebody here might be able to address the specific concerns, and possibly also get Apple to update the tech note?)

Yeah! that didn't answer his question at all. I too am curious, I was able to create a keychain and then somehow had the x509 cert it needed, imported into the certificate section in OS X Server. Then I just went into the profile manager and it was there waiting, now after reinstall of Server environment I cannot recreate my process. Any help on getting OS X Server to recognize a cert to import so that it appears in the Privacy and Security section in profile manager.

Following document HT5077 by Apple, we can create the Keychain to strip the certificate out of and utilize that in Profile Manager. From the Server machine using the Admin account:

• Open System Preferences and select the Users & Groups preference pane.
• If locked, click the lock icon to authenticate
• Click the Services (Gears) button and then select “Set Master Password…” from the pop-up menu.
• Create a master password using the sheet that appears. Password will be XXXXX and the hint is Filevault account password

The following files will be created:

• /Library/Keychains/FileVaultMaster.cer
• /Library/Keychains/FileVaultMaster.keychain
• The document HT5077 is finished now, there are further instructions in the document but they are for manual deployment. From here we have enough to move ahead with our Institutional Key Deployment.

• Launch Terminal and run this command, authenticate with Admin password and then the keychain password as you are unlocking the Keychain we just created.
• Sudo security unlock-keychain /library/keychains/filevaultmaster.keychain
• Once the keychain is unlocked in finder navigate to /library/keychains/ and click FileVaultMaster.keychain. It will launch Keychain Access and add the keychain.
• Once inside Keychain access, under keychains pane select FileVaultMaster
• You should see two items in the right pane, select the certificate FileVault Recovery key. Double click to launch its info screen, click the carrot next to trust and select when using this certificate drop down and choose Always Trust. Close that screen
• Back in Keychain Access with the certificate selected again right-click, ctrl-click the cert and select export. Save to desktop with no password.
• Launch Server.app and select profile manager or just use Safari to navigate to: https://server.name/profilemanager
• Inside profile manager select the User, group, device in the left pane and click edit on the right pane
• Under the heading OS X and IOS select Certificates and click configure
• Fill in the certificate name with: FileVault
• Click Add Certificate… and navigate to desktop for the FileVaulte Recovery Certificate.cer that we saved earlier.
• Once that is added select in the left pane under OS X and IOS, Security & Privacy
• Click the FileVault (OS X Only) tab and check require FileVault
• Select the radio button next to Use an institutional recovery key
• Under certificate drop down, the only one available should say FileVault, select it.
• Click Okay to go back to main Profile Manager screen, then under the devices group we made adjustment to we select save in the right pane to commit the changes to the configuration profile.

Once the profile gets pushed to the devices, restart and the account active will be asked to authenticate to enable FileVault. Do this for Pilot, then the primary user on the Mac, otherwise they will not be able to unlock the HD to load the OS.

Any clarification needed just ask, I wrote the document for my company so I had to redact some stuff to share.. I spoke with Apple about it, they are writing a document I believe as they are now aware there is no documentation out there. I had to show them a good amount of evidence that I did my homework, two escalations to the engineering department and viola.. Enjoy.

While I can see using an Institutional Key saves on administration by providing a single 'key' which can unlock all Macs I am dubious about the security merits of using this approach as if anyone gets hold of that 'key' they can presumably unlock all your machines and the only solution would be to generate a new uncompromised one for all those Macs and you would also presumably have to decrypt and re-encrypt them all.

I therefore use Crypt a free open-source package based on Google's Cauliflower Vest which stores individual recovery keys in a database and access is via a web interface and it allows two level authorisation in that the first level user can request a key and a second higher level can authorise or deny the request. No more than a single key for a single machine is ever released at a time. One could view this approach as being the same as using an Apple ID to store the recovery key except and importantly you store it on your own server and not on Apple's or Google's.

Crypt still allows enforcing the use of FileVault2, I have even combined it with Profile Manager such that I have defined a custom key in Profile Manager to activate or not the use of Crypt so by simply making a Mac a member of the appropriate Profile Manager device group I can enforce its use or not.