Hi,
One of our employee’s Macs got stuck on the login screen after restarting the device. The employee had forgotten the password, so he tried to reset the device by entering the recovery mode. But it asked for the recovery key. So how do I get the device out of this state? Can Hexnode help?
device stuck in login screenSolved
840 Views
Replies (6)
Marked SolutionPending Review
Hexnode Expert
2 years ago
Marked SolutionPending Review
Thanks for reaching out to us @darien-jaylen-22.
Could you please check whether the FileVault is activated using Hexnode and which OS is running on the device?
Thanks!
Evin Lee
Hexnode UEM
Marked SolutionPending Review
Participant
2 years ago
Marked SolutionPending Review
OS: big sur.
A file vault policy is applied on the device, and the policy shows that it is encrypted using a personal recovery key.
Marked SolutionPending Review
Hexnode Expert
2 years ago
Marked SolutionPending Review
The Hexnode agent app won’t be active if the device is on the login screen that appears after restarting the device. Hence, you will be unable to push any actions or policies to your device from the Hexnode portal. As you have enabled FileVault via the Hexnode portal, the recovery key can be obtained from the portal. However, it is possible only if the Escrow Personal Recovery Key option is already checked in the FileVault policy.
To obtain the escrowed personal recovery key, you can go to Manage > Devices > Device Info > Security Info and click on Decrypt FileVault Recovery Key. It will display a menu asking whether the FileVault recovery key is automatically encrypted by Hexnode or was encrypted with a certificate. If it was encrypted automatically, you could click on Decrypt to retrieve the key. On the other hand, if it was encrypted with a certificate, you will need the certificate to get the key.
You can use the obtained recovery key to log in to the device. However, if the Escrow Personal Recovery Key option is not enabled, you can erase the device and reinstall the OS to log in to the device.
I hope this helps. Do reach out if you have any further queries.
Cheers!
Evin Lee
Hexnode UEM
Marked SolutionPending Review
Participant
2 years ago
Marked SolutionPending Review
Thanks @Evin Lee, it worked.
Marked SolutionPending Review
Participant
2 years ago
Marked SolutionPending Review
I’m going to use the personal recovery key to enable FileVault on the devices, and escrow the key to the portal. There is an option to add a certificate to encrypt the key. But how can i create this certificate?
Marked SolutionPending Review
Hexnode Expert
2 years ago
Marked SolutionPending Review
Hi @alondra,
Thanks for reaching out to us.
You can create a certificate using the Terminal on Mac devices. Run the command given below to get the job done.
|
1 2 3 4 |
openssl genpkey -algorithm RSA -out /folderpath/rsa_private.pem -pkeyopt rsa_keygen_bits:2048 openssl rsa -in /folderpath/rsa_private.pem -pubout -out /folderpath/rsa_public.pem openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -out /folderpath/rsa_cert.pem -subj "/CN=unused" openssl x509 -outform der -in /folderpath/rsa_cert.pem -out /folderpath/public.crt |
Replace “/folderpath” with the path you want to save the certificates on the device.
After running the command, it will create three certificates “public.crt”, “rsa_private.pem”, and “rsa_public.pem” on the specified locations.
You can upload the certificate “public.crt” to Policies > macOS > Security > Certificates. Then, the certificate will be available to use in the FileVault policy. In the same policy, go to FileVault > Choose Encryption method, and select the Manually specify encryption key option. You can then choose the uploaded certificate from the Encryption Certificate option. Finally, associate the policy with your devices.
You can decrypt the recovery key by uploading the “rsa private.pem” file in the ‘Decrypt FileVault Recovery Key‘ pop-up window.
Hope this suits your requirements.
Thanks!
Evin Lee
Hexnode UEM
-
Expand
Save
Copy link
Scroll to top
