To maintain the security of the FileVault Personal Recovery Key (PRK), Workspace ONE UEM supports a native MDM mechanism to automatically rotate the key after they have been accessed by a user in Self-Service Portal or by an administrator in the UEM Console in Device Details. This enforces a security practice that the PRK should only be viewed when needed to unlock a disk, and it needs to be re-secured in a timely manner

To use the automatic recovery key rotation feature, you must have:

  • The latest UEM console or the existing UEM console that is upgraded to the latest version.
  • macOS devices 10.14 and later
  • The devices must be encrypted and have an existing recovery key escrowed to the UEM console.

Automatic Recovery Key Rotation When Viewed

When the Personal Recovery Key (PRK) is accessed through the Device Details page or the Self Service Portal, 15 minutes later, the native MDM command to rotate the PRK is queued for the device to process the command on the next check-in. Additionally, an event log is captured with the details, such as when the key was last viewed and by what user. The event logs also report the status of the PRK rotation command lifecycle.

Recovery key rotation can be performed by both the admins (through the UEM console) and the users (through the SSP). Step 1 details the procedure for admins and step 2 details the procedure for users.

Prerequisites

Device must be encrypted with a Personal Recovery Key escrowed to the UEM console.

Procedure

  1. To access the Device Details page, navigate to Devices > List View and select a macOS device.
    1. Select the View Recovery Key under the Security section of the Summary tab. The View Recovery Key page appears displaying the Current Personal Recovery Key with the timestamp it was rotated and additionally the previous recovery key for backup

      If the recovery key was never rotated, the Previous Personal Recovery Key field remains empty

    2. Approximately 15 minutes after completing step a, the MDM command to rotate the recovery key is queued for the device. For more information on auditing the key access and rotation lifecycle, see the View Rotated Recovery Key Event Logs section.
  2. To access the device through SSP, enter the https://<AirWatchEnvironment>/MyDevice URL in the browser.
    1. Select the View Recovery Key under the Security section of the Summary tab. The View Recovery Key page appears displaying the Current Personal Recovery Key with the timestamp it was rotated and additionally the previous recovery key for backup.
    2. Approximately 15 minutes after completing step a, the MDM command to rotate the recovery key is queued for the device.

View Recovery Key Event Logs

When the command to rotate the recovery key is initiated, or when the recovery key sample is received, or any event related to the PRK occurs, it can be viewed on the UEM console. The events are tracked as Event Logs in the Troubleshooting tab on the Device Details page.

  1. Navigate to Device > List View and select a macOS device to access the Device Details page.
  2. To view Event Logs and Commands information, select Troubleshooting from the More Actions drop-down menu.