Apple’s macOS has the ability to encrypt the hard drive of the system. If a user forgets this passphrase or is unable to unlock the system with the regular macOS password, a Personal Recovery Keys (PRKs) can be used to boot a system.
Symantec Endpoint Encryption for FileVault includes the ability to easily manage the Personal Recovery Keys for these macOS systems encrypted with FileVault, which are sent to the Symantec Endpoint Encryption Management Server (SEE MS).
See the following articles for additional information related to this topic:
To login to the SEE portal, go to the web URL and authenticate the Helpdesk credentials (domain\username format):
In order to find the Personal Recovery Key (PRK) for the user, enter the username in the search field:
In this case, the user is “PGPtestuser”. If multiple entries exist, click the first entry so it’s highlighted and then click “Get Recovery Key”:
This will then display the Personal Recovery Key that can be provided to the user who may be unable to login to the system:
If you search for a user and the user is found, but a recovery key is not available, the following message will be displayed:
SEE FileVault will send the the recovery key to the SEE Management Server, but if the user did not enter their macOS passphrase when they were prompted, the SEE Management Server will not have the recovery key. To check if the user has a recovery key, login to the SEE Management Server and find the user in the computer status report:
In this scenario, the name of the machine in question is “pgptestusers-MacBook-Pro.local”. You can enter part of the hostname surrounded by the percentage symbols to do the search (%pgptestusers-mac%). Once the machine is found, double-click the entry and click on the “Fixed Drives” tab:
As you can see in this example, the “PRK Last Modified” field is blank. This means there is no recovery key that was sent to the server.
When the user is presented with the following screen, they must enter their macOS password:
As is mentioned in the screenshot above, it is very important for the user to enter the macOS password. If this is not entered, no Personal Recovery Key will be sent to the SEE Management Server, which will prevent further recovery from happening. In the example above, the user did not enter this password. The SEE FileVault client is a persistent window that the user cannot delay. They either need to hide the window, or forcefully quit the window from happening.
If the user did not receive the prompt to enter the passphrase, the SEE FileVault client may have not been able to communicate with the SEE Management Server.
If you look on the client machine, and open the SEE FileVault UI, check the “Server Status”:
If the client has never checked in, click the “Check In” button to ensure the client could check in. The following page will appear once this successful:
Once this screen appears, you should then see the recovery key show up on the server:
If you are unable to get the client to check in, it will be useful to review the logs. Symantec Endpoint Encryption will use the “log show” method to capture logs. For more information on how to capture the SEE FileVault “log show” logs, see article 161042 in the section “About the Symantec Endpoint Encryption for FileVault logs”