Escrow Buddy is a lightweight utility designed to securely escrow FileVault recovery keys to your MDM. When managing macOS devices with Applivery, using Escrow Buddy simplifies compliance with disk encryption policies and ensures recovery keys are safely stored and accessible when needed.
In this guide, we’ll walk you through the steps to deploy Escrow Buddy via Applivery, configure its behavior using a custom configuration profile, and verify that keys are successfully escrowed to your MDM instance.
Requirements #
Before deploying Cortex XDR on macOS devices through Applivery, make sure you have the following:
Escrow Buddy package (
.pkg).Post-installation script.
FileVault is enabled in the device policy.
FileVault Recovery Key Rotation Script.
1 Applivery license for App Distribution.
Prepare Escrow Buddy #
To deploy Escrow Buddy using Applivery, you will need to upload the compressed app package (.zip) to your App Distribution section and configure it with a post-installation script.
First, download the Escrow Buddy .pkg installer from the GitHub repo.
Once downloaded, compress the .pkg file by right-clicking on it and selecting Compress, which will generate the .zip file required by Applivery.
Next, log in to the Applivery dashboard and navigate to the App Distribution section. From there, follow the steps outlined in our documentation:
Upload the FileVault Recovery Key Rotation Script to Applivery #
To ensure that the FileVault recovery key is properly escrowed and remains valid over time, we recommend using a monitoring script that runs regularly, such as once every 7 days. This script, when applied to the policy and scheduled accordingly, will help detect any issues with the current FileVault key. If a problem is identified, the script will automatically remove the invalid key, generate a new one, and escrow it securely into the device inventory within Applivery.
Once in the Applivery dashboard, head to the Device Management section and select Assets (1). Select the Scripts (2) section from the left-hand menu and click on the button (3).
Copy the provided bash script, and (4) it as Rotation FileVault Key Script.
#!/bin/bash
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
exit 0
Configure your Escrow Buddy policy #
Now, head to the Device Management section and select Policies (5). Choose the policy where you want to deploy the app. From the left-hand menu, select the Apps (6) section and click the (7) button.
In the modal view, navigate to the Applivery (8) tab to continue with the setup process.
Set the platform to macOS (9), choose Your Workspace (10) as the app origin, and search for the Escrow Buddy app you previously created in the app dropdown (11). For the build selection, choose Last (12) to ensure the latest version is always deployed.
Continue to the next step and select Force Install (13) as the install mode. In the Configuration section, select Post-install (14) and paste your script.
Script #
#!/bin/bash
APP_NAME="Escrow Buddy.app"
APP_BUNDLE_ID="com.netflix.Escrow-Buddy"
APP_PATH="/Applications/${APP_NAME}"
# Create the app structure with appropriate permissions
sudo mkdir -p "${APP_PATH}/Contents/MacOS"
sudo mkdir -p "${APP_PATH}/Contents/Resources"
# Verify if the structure was created successfully
if [[ ! -d "${APP_PATH}/Contents/MacOS" ]]; then
echo "Error: Could not create the application structure"
exit 1
fi
# Create Info.plist file
sudo tee "${APP_PATH}/Contents/Info.plist" > /dev/null <<EOF
<?xml version="1.0.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0.0">
<dict>
<key>CFBundleIdentifier</key>
<string>${APP_BUNDLE_ID}</string>
<key>CFBundleName</key>
<string>Escrow Buddy</string>
<key>CFBundleVersion</key>
<string>1.0.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0.0</string>
<key>CFBundleExecutable</key>
<string>EscrowSecurityAlert</string>
</dict>
</plist>
EOF
# Create an empty executable with appropriate permissions
sudo touch "${APP_PATH}/Contents/MacOS/${APP_NAME}"
sudo chmod +x "${APP_PATH}/Contents/MacOS/${APP_NAME}"
# Verify that the app exists
ls -ld "${APP_PATH}"
Finally, click to apply and store your policy configuration.
Configure FileVault #
Next, we need to configure the policy to enable FileVault on the devices. To do this, follow the steps outlined in our documentation under the Recovery Key Management – Auto section.
Once FileVault is properly enabled, it’s important to add the Rotation FileVault Key Script, as explained in the earlier steps of this article, to ensure that any invalid or missing FileVault recovery keys are automatically detected and remediated. This guarantees that Applivery always retains a valid, escrowed key for each device.
To add the script, navigate to the Scripts (15) from the left-hand menu. Click on the button (16).
Then search for and select the Rotation FileVault Key Script (17) that was previously uploaded. For the Execution method, we recommend choosing Loop (18) and setting the repetition interval according to your organizational needs (e.g., every 7 days).
Finally, click (19) to include the script in the policy and .
