We are using FileVault PRK escrow feature in our MDM server. And hit issue when the certificate used for PRK encryption get expired and renewed.
From the test result, seems PRK encryption always uses the OLD certificate, which was initially used to enable the FileVault and escrow the PRK, even if the FileVault policy is updated with NEW certificate and already pushed to device.
The only thing we can do to get the key escrowed successfully, is to toggle (turn off then turn on) FileVault on device. Seems MacOS will use the NEW certificate to encrypt the PRK after toggling FV.
We will need Apple's feedback/suggestion if anything we can do to make device pick the new cert for encryption without user interaction(toggle FileVault on device).
I have an Apple feedback ticket created for this: FB9582469
Repro steps:
- MDM server will inject a certificate in FDERecoveryKeyEscrow payload
- MDM will push the FileVault profile to device, the profile is installed successfully
- Enable FileVault on device, select option to “store key” in my MDM server
- The PRK will be generated and escrowed to MDM server
- CEM can decrypt the encrypted PRK with the private key of the certificate mentioned in step-1
—————Here issue comes———
-
The certificate mentioned in step-1 get expired, and we renew it on MDM server
-
Push a new FileVault policy injected with the renewed certificate in FDERecoveryKeyEscrow payload
-
From our test result, seems device is still using the old certificate to encrypt the PRK, and CEM fails to decrypt it
-
If we toggle(turn off then turn on) FileVault on device, the new key can be decrypted successfully by MDM server.
Thanks, Wei