Automating the removal of Dells “DDPE” Encryption from macOS & Applying FileVault Encryption across the Enterprise with JAMF

Automating the removal of Dells “DDPE” Encryption from macOS & Applying FileVault Encryption across the Enterprise with JAMF

I came into an environment with Jamf Managed Legacy macOS X Devices utilizing Dells Data Protection Encryption. Great, they’re all encrypted, Not Great, they don’t report the Keys to Jamf but a DDPE server & with Jamf being our central management system for all Macintosh systems, these devices need to report to Jamf. Fortunately the versions of DDPE I had to deal with actually just utilized Apples Native FileVault encryption but with a DDPE Container so it was still technically “FileVaulted”, this results in the mac not needing to decrypt & re-encrypt making for a flawless execution. This is not the case in some older versions of DDPE though. I lucked out.

The following steps are how I successfully removed DDPE from all of my managed macs & allowed the Filevault Keys to report to Jamf instead. Note that the Legacy Macs I performed this on were running either version 10.10 macOS Yosemite, 10.11 macOS el Capitan or 10.12 macOS Sierra, They were all managed by Jamf & encrypted utilizing the same Managed Administrator Account. I cannot guarantee that this will work for previous / newer versions of macOS as I have not tested. Utilizing the steps in the process will allow you to locate the required paths & information to test on older & newer devices.

Using Jamf I broke this down into 6 separate steps, Extension Attributes to pull the information I needed into Jamf, Creating a Smart Group, Creating a Static Group, a Configuration Profile to redirect the FileVault Key & a Policy containing 3 scripts utilizing Jamfs API to put DDPE Removed macs into their own Static Group, remove DDPE & reissue the Filevault Key.

Extension Attributes

These extension attributes are necessary because different versions of DDPE & macOS store the information needed in different locations. In order to make sure everything is taken care of on the variety of versions in your environment, you will need to identify all the different versions on the different operating systems, obtain the information populated by these EAs & use them for scripting the removal process.

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Management Settings -> Computer Management -> Extension Attributes -> + New

The settings for all of the Extension Attributes are as follows.

(Images Provided for Reference in Steps 1 – 4)

Check Enabled (script input type only)
Data Type: String
Inventory Display: Extension Attributes (*Note Set to your preferred inventory display)
Input Type: Script

1. Create Extension Attribute to obtain DDPEs Version
Click Here for Shell Script to obtain DDPE Version Number

#!/bin/bash

dellPrefPane()
{
    if [ -d "/Library/PreferencePanes/Dell Encryption Enterprise.prefPane" ]; then
        prefpane="/Library/PreferencePanes/Dell Encryption Enterprise.prefPane"
    elif [ -d "/Library/PreferencePanes/Dell Data Protection.prefPane" ]; then
        prefpane="/Library/PreferencePanes/Dell Data Protection.prefPane"
    else
        return 1
    fi
}

if dellPrefPane; then
    result=$("$prefpane"/Contents/Helpers/client -v)
else
    result="Not Installed"
fi

echo "$result"

 

2. Create Extension Attribute to obtain DDPEs Encryption Status
Click Here for Shell Script to obtain DDPEs Encryption Status

#!/bin/bash

dellPrefPane()
{
    if [ -d "/Library/PreferencePanes/Dell Encryption Enterprise.prefPane" ]; then
        prefpane="/Library/PreferencePanes/Dell Encryption Enterprise.prefPane"
    elif [ -d "/Library/PreferencePanes/Dell Data Protection.prefPane" ]; then
        prefpane="/Library/PreferencePanes/Dell Data Protection.prefPane"
    else
        return 1
    fi
}

if dellPrefPane; then
    result=$("$prefpane"/Contents/Helpers/client -d | awk '/status/{print substr($NF,1,length($NF)-1)}')
else
    result="Not Installed"
fi

echo "$result"

 

3. Create Extension Attribute to obtain DDPEs Preference Pane
Click Here for Shell Script to obtain DDPEs Preference Pane

#!/bin/bash

DDPEPREF=$(sudo mdfind -name Dell | grep ".prefPane")

echo "$DDPEPREF"

4. Create Extension Attribute to obtain DDPEs Uninstall Script Location
Click Here for Shell Script to obtain DDPEs Uninstall Script Location

#!/bin/bash

UNINSTALLEMS=$(sudo find / -name uninstallEMS.sh)

echo "$UNINSTALLEMS"

Now that you have the extension attributes established, the following images depict what your dashboard will reflect on a 10.11 & 10.12 Mac that has updated its inventory to Jamf.

10.11.6

10.12.6

Note the differences in the uninstall scripts path highlighted in the images above. This is important because all of these various locations will need to be utilized in order to remove DDPE from all devices in one fell swoop.

10.11.6 Path: /Library/Dell/EMS/Uninstall EMS.app/Contents/Resources/uninstallEMS.sh
10.12.6 Path: /Library/Dell/EMS/Uninstall Dell Encryption External Media.app/Contents/Resources/uninstallEMS.sh

 

Smart Group

In order to scope our policy, you now need to create a Smart Computer Group, this smart groups criteria will be predicated upon the DDPE Encryption Status extension attribute. That EA results in two parameters. Encrypted or Not Installed, in this smart group we are targeting the Encrypted Devices.

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Smart Computer Groups -> + New

5. Create Smart Computer Group

I chose the display name of “DDPE – Encrypted”.

Criteria 1: Set to extension attribute “DDPE Encryption Status”, I set the operator to “is” & Value to “Encrypted”

Criteria 2: Set to “Last Check-in”, I set the operator to “less than x days ago” & Value to “30”

AND/OR Field: In the far left adjacent to the 2nd Criteria, set the AND/OR function to “and”

This results in a smart computer group containing Macs that are encrypted with DDPE that are still active in the environment. My Example Smart Computer Group is depicted below.

 

Static Group

The static computer group serves 3 purposes. First purpose is it allows Jamfs API to add a computer to the group. Second purpose is providing a group to scope the configuration profile to (&/or to exclude from another Configuration profiles scope containing a redundant payload). The third purpose is to keep track of the macs in your environment that had DDPE Decrypted.

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Static Computer Groups -> + New

6. Create Static Computer Group

I chose the display name of “DDPE_UnEncrypted”

Once you save the Static Computer Group, Take note of the Url, I highlighted the Groups ID# in red in the image above & pasted the url below & emboldened the Group ID#. For this example, my Group ID# is 227, this is important for the API Script.

https://server.jamfpro.org:8443/staticComputerGroups.html?id=227&o=u

 

Configuration Profile

A configuration profile is required to direct the FileVault recovery key from the end users mac to Jamf.

*Note that this configuration profile contains a Security & Privacy Payload. The nature of redundant configuration profiles payloads existing on one machine results in the machine utilizing the (singular) most restrictive payload, ensure you do not have any other Configuration Profiles containing a Security & Privacy Payload or conflict errors will occur resulting in either this process not working or this process working & settings being disallowed or allowed that weren’t previously available to the end user.

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Configuration Profiles -> + New

7. Create Configuration Profile

General Tab
Set your naming convention & Make sure to set the Distribution Method to “Install Automatically” & Level to “Computer Level”.

Security & Privacy Payload Tab

The General, Firewall & Privacy tabs are up to you to decide, I’m only focusing on the Filevault tab.

Select the FileVault Tab, Check “Enable Escrow Personal Recovery Key”, The “Escrow Location Description” is shown in the System Preferences -> Profiles -> Your DDPE FV Encryption Profiles Description. Select “Automatically encrypt and decrypt recover key” under Personal Recovery Key Encryption Method.

FileVault Recovery Key Redirection Tab
Select “Automatically redirect recovery keys to the Jamf Pro Server” under Recovery Key Redirection.

Scope Tab
Scope to the “DDPE_UnEncrypted” Static Computer Group.

 

Scripts

The following 3 scripts are designed to run sequentially. The execution of the scripts is predicated upon the alphanumeric naming convention of 0-1 A-Z . It’s important that you name them accordingly in your environment so they execute in the proper order.

Script 1: DDPE 0.1 API Add to UnEncrypted Static Group
Script 2: DDPE 0.2 Remove DDPE Contents
Script 3: DDPE 0.3 Reissue Filevault Key

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Mangement Settings -> Computer Management -> Scripts -> + New

8. Add Scripts to Jamf Pro

Click Here for Script 1: DDPE 0.1 API Add to UnEncrypted Static Group
 

The API call will place the mac into the DDPE_UnEncrypted Static Group that was created. This will then trigger the configuration profile to deploy to the computer. A recon is run at the end for good measure.

Paramaters $4, $5 & 6 are passed from the Policy in Jamf.
I advise that you Utilize Jamfs Encrypted Script Parameters scripts found here.

apiuser=$4
apipass=$5
jssURL=$6

*Note You will need to create an API User on your Jamf Pro Server, it does need some permissions but not all. I gave mine full access permission & in the Privileges Tab -> Jamf Pro Server Objects, Checked all boxes in Create, Read & Update. This is Environment specific as far as what else you want to do, but that permission set will allow this script to work.

You can access Jamfs Api Locally by adding /api/ to the end of your jamf pro servers url.

https://server.jamfpro.org:8443/api/

You can also learn more about via the following links.
Jamfs Developer Page
Jamfs Classic Api Page
Jamfs uApi Page.

Script 2: DDPE 0.2 Removal

Click Here for Script 2: DDPE 0.2 Removal
 

Sometimes simpler is better, I’m a big fan of granularity but instead of writing an extensive shell script with a bunch of if then statements determining version number & file path locations, I opted for a very simple straight forward all in one try/end try applescript targeting every possible file path location associated with DDPE in my environment.

Also, Note that at the very end of this script I remove OSXFuse from the system.
More information on OSXFuse Here.

Script 3: DDPE 0.3 Reissue Filevault Key

Script 3: DDPE 0.3 Reissue Filevault Key
 

Variables userName & userPass must contain the username & password credentials of the original administrator account on the end users device that enabled DDPE & in turn, enabled filevault. This is why it’s important that DDPE was installed on machines by a universal managed administrator account.

Paramaters $4 & $5 are passed from the Policy in Jamf.
I advise that you Utilize Jamfs Encrypted Script Parameters scripts found here.

userName=$4
userPass=$5

This is not my script, it is a portion of Jamfs Reissue Key Script found here.

Policy

Now to tie everything together & Create a policy to deploy across the enterprise. These changes all occur silently & rather quickly, the longest part is running the Jamf Recon command. It is important to set the execution frequency to once per computer, however you to trigger it is up to you. Below you will find my policy in detail.

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Policies -> + New

9. Create Policy

General Tab

Scripts Tab

Scope Tab

Final Preview

There you have it, you can now Automate the removal of DDPE, Have Filevault enabled & direct the keys to Jamf for complete managment.

5 thoughts on “Automating the removal of Dells “DDPE” Encryption from macOS & Applying FileVault Encryption across the Enterprise with JAMF

Leave a Reply

Your email address will not be published. Required fields are marked *