Escrow Buddy: An open-source tool from Netflix for remediation of missing FileVault keys in MDM

Netflix has open-sourced Escrow Buddy, which helps Security and IT teams ensure they have valid FileVault recovery keys for all their Macs in MDM.

Netflix Technology Blog
6 min readbeginner
--
View Original

Overview

The article introduces Escrow Buddy, an open-source tool developed by Netflix to automate the generation and escrow of FileVault recovery keys in a Mobile Device Management (MDM) environment. It addresses the challenges of missing recovery keys and provides a streamlined solution for IT teams managing Mac fleets.

What You'll Learn

1

How to deploy Escrow Buddy to manage FileVault key generation automatically

2

Why automating FileVault key management enhances security culture

3

When to use the FDERecoveryKeyEscrow payload in MDM

Prerequisites & Requirements

  • Understanding of Mobile Device Management (MDM) and FileVault
  • Access to a compatible MDM solution

Key Questions Answered

What is Escrow Buddy and how does it work?
Escrow Buddy is an open-source authorization plugin developed by Netflix that automates the generation of new FileVault recovery keys during the macOS login process. It integrates with the existing login experience, eliminating the need for additional user prompts, and ensures that recovery keys are automatically escrowed to MDM.
What are the common reasons for missing FileVault keys in MDM?
Missing FileVault keys can occur due to several reasons, including enabling FileVault before MDM enrollment, misconfiguration of the MDM escrow payload, migration from another MDM, or database corruption. These issues can lead to users being locked out of their Macs, resulting in potential data loss.
How can organizations benefit from using Escrow Buddy?
Organizations can benefit from Escrow Buddy by automating the recovery key generation process, which enhances security and reduces the burden on IT support. This tool allows for seamless integration into the login process, improving user experience and minimizing the risk of data loss.

Technologies & Tools

Security
Filevault
Used for encrypting data on Macs to protect sensitive information.
Management
Mdm
Used for managing devices and ensuring compliance with security policies.
Authorization Plugin
Crypt
A plugin that enforces FileVault and manages recovery key escrow.

Key Actionable Insights

1
Deploy Escrow Buddy to streamline the recovery key generation process for your Macs.
By automating this process, you can reduce the time IT spends on recovery key management and enhance the overall security posture of your organization.
2
Ensure your MDM is configured to deploy the FDERecoveryKeyEscrow payload.
This configuration is crucial for ensuring that any new recovery keys generated are automatically escrowed, preventing future issues with missing keys.
3
Consider the security implications of user prompts in password workflows.
Using Escrow Buddy helps mitigate the risks associated with consent fatigue, where users may become desensitized to prompts, potentially leading to security vulnerabilities.

Common Pitfalls

1
Failing to properly configure the MDM to deploy the FDERecoveryKeyEscrow payload can lead to missing recovery keys.
This misconfiguration can result in users being locked out of their devices, necessitating data wipes and causing significant productivity loss.

Related Concepts

Mobile Device Management (mdm)
Filevault Encryption
Authorization Plugins In Macos