Apple has provided great documentation on how to create and deploy institutional key.
Create a master password and private recovery key for your institution
First, create a master password and private recovery key on one of your Mac computers:
- Choose the Apple menu > System Preferences, then click Users & Groups.
- Click the Lock button, then enter a user name and password.
- From the Action menu, choose Set Master Password.
- Enter and verify your master password, then click OK.
- Move the file at /Library/Keychains/FileVaultMaster.cer to the Trash.
- Copy the file at /Library/Keychains/FileVaultMaster.keychain to a secure location, like an external drive or an encrypted disk image on another physical disk. This FileVault master keychain contains the private FileVault recovery key. You can use this private key to unlock the startup disk of any Mac computer that uses your deployed FileVault master keychain.
Update and deploy the FileVault master keychain
- Drag the file at /Library/Keychains/FileVaultMaster.keychain to the Desktop to copy it onto the Desktop.
- On the Desktop, double-click the copied version of FileVaultMaster.keychain.
- Keychain Access opens and there are two “FileVaultMaster.keychain” listed on the left.
- Select the file at /Users/username/Desktop/FileVaultMaster.keychain.
- Click the lock in the upper-left corner to unlock the FileVaultMaster keychain.
- Select the private key.
- Press the Delete key on the keyboard. Click Delete in the dialog.
- Quit Keychain Access.
- Copy the updated file at ~/Desktop/FileVaultMaster.keychain back to /Library/Keychains.
- Type admin name and password in the dialog.
- Click the Replace button in the dialog.
Deploying the MasterKey Keychain to all Mac Clients using Addigy
1. Begin by creating a Custom Software Package for your .Keychain file by going to Policies > Catalog > Custom Software > Create Custom Software.
2. Upload your newly created Keychain file. (The updated file from step. 9 in "Update and Deploy the FileVault Master Keychain")
3. Copy and paste this command into the "Installation Script" field:
ditto "/Library/Addigy/ansible/packages/FVTake2 (2.0.0)/FileVaultMaster.keychain" "/Library/Keychains" /Library/Addigy/filevault-manager -enable -defer -escrow -prompt-restart
This will move the .keychain into the machines /Library/Keychains/ folder,
because of the existence of this file in that directory, when the file vault manager command runs,
it'll know that the Institutional key was set up and encrypt the drive using the institutional key, it'll also create a personal key per machine.
The FileVault encryption will start on the next user log in. The key will not be escrowed to Addigy for security reasons.
How To FileVault Additional Users
This can be achieved in two ways,
1. Head over to System Preferences -> Security and Privacy -> FileVault
1b. Click on enable users, then select the user you would like to unlock.
2. You can also do this via the terminal.
sudo fdesetup add -usertoadd "USER_NAME_HERE"
2a. This will prompt you for an Admin password, the password of a root user (You can typically use the same admin password) and then the password of the user getting added to the file vault.
3. You can view all users File Vaulted by using the command
sudo fdesetup list
4. Assuming we want to do this remotely via terminal we would use this command and pass it a plist that contains the username and password of a filevaulted user and the username and passwords of the user(s) that will be added to the filevault.
fdesetup add -inputplist < /path/to/filename.plist
Plist would be formatted in such fashion:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> <key>AdditionalUsers</key> <array> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> </dict> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> </dict> </array> </dict> </plist>