[Evin Hexnode 27 March 2022 Evin Moderator]

Thanks for reaching out to us @darien-jaylen-22.

Could you please check whether the FileVault is activated using Hexnode and which OS is running on the device?

Thanks!
Evin Lee
Hexnode UEM

[Darien Participant 27 March 2022 Darien Participant]

OS: big sur.

A file vault policy is applied on the device, and the policy shows that it is encrypted using a personal recovery key.

[Evin Hexnode 27 March 2022 Evin Moderator]

Hi @darien-jaylen-22,

The Hexnode agent app won’t be active if the device is on the login screen that appears after restarting the device. Hence, you will be unable to push any actions or policies to your device from the Hexnode portal. As you have enabled FileVault via the Hexnode portal, the recovery key can be obtained from the portal. However, it is possible only if the Escrow Personal Recovery Key option is already checked in the FileVault policy.

To obtain the escrowed personal recovery key, you can go to Manage > Devices > Device Info > Security Info and click on Decrypt FileVault Recovery Key. It will display a menu asking whether the FileVault recovery key is automatically encrypted by Hexnode or was encrypted with a certificate. If it was encrypted automatically, you could click on Decrypt to retrieve the key. On the other hand, if it was encrypted with a certificate, you will need the certificate to get the key.

You can use the obtained recovery key to log in to the device. However, if the Escrow Personal Recovery Key option is not enabled, you can erase the device and reinstall the OS to log in to the device.

I hope this helps. Do reach out if you have any further queries.

Cheers!
Evin Lee
Hexnode UEM

[Darien Participant 27 March 2022 Darien Participant]

Thanks @Evin Lee, it worked.

[Alondra Participant 27 March 2022 Alondra Participant]

I’m going to use the personal recovery key to enable FileVault on the devices, and escrow the key to the portal. There is an option to add a certificate to encrypt the key. But how can i create this certificate?

[Evin Hexnode 27 March 2022 Evin Moderator]

Hi @alondra,

Thanks for reaching out to us.

You can create a certificate using the Terminal on Mac devices. Run the command given below to get the job done.

Script to create certificate

openssl genpkey -algorithm RSA -out /folderpath/rsa_private.pem -pkeyopt rsa_keygen_bits:2048 openssl rsa -in /folderpath/rsa_private.pem -pubout -out /folderpath/rsa_public.pem openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -out /folderpath/rsa_cert.pem -subj "/CN=unused" openssl x509 -outform der -in /folderpath/rsa_cert.pem -out /folderpath/public.crt

1 2 3 4

openssl genpkey -algorithm RSA -out /folderpath/rsa_private.pem -pkeyopt rsa_keygen_bits:2048   openssl rsa -in /folderpath/rsa_private.pem -pubout -out /folderpath/rsa_public.pem   openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -out /folderpath/rsa_cert.pem -subj "/CN=unused"   openssl x509 -outform der -in /folderpath/rsa_cert.pem -out /folderpath/public.crt

Replace “/folderpath” with the path you want to save the certificates on the device.

After running the command, it will create three certificates “public.crt”, “rsa_private.pem”, and “rsa_public.pem” on the specified locations.

You can upload the certificate “public.crt” to Policies > macOS > Security > Certificates. Then, the certificate will be available to use in the FileVault policy. In the same policy, go to FileVault > Choose Encryption method, and select the Manually specify encryption key option. You can then choose the uploaded certificate from the Encryption Certificate option. Finally, associate the policy with your devices.

You can decrypt the recovery key by uploading the “rsa private.pem” file in the ‘Decrypt FileVault Recovery Key‘ pop-up window.

Hope this suits your requirements.

Thanks!
Evin Lee
Hexnode UEM