Intune : macOS FileVault Report

Introduction

Recently, I found myself in a classic IT admin pickle: A C-level executive needed access to their encrypted macOS device, but surprise! the FileVault recovery key wasn’t stored in Intune like it was supposed to be. Fun, right? Unfortunately, this wasn’t a one-time thing; it made me realize we had a bigger issue. How could we efficiently track which devices are encrypted and make sure their recovery keys are actually stored where they should be?

So, to avoid future stress (and those frantic “where’s the key?!” moments), I built a PowerShell script to do all the heavy lifting. It checks the encryption status of all managed macOS devices and verifies whether their FileVault keys are safely tucked away in Intune. The goal? Save time, eliminate guesswork, and make sure everything’s secure and ready when needed.

In this post, I’ll walk you through the script, explain how it works, and show how it can help you stay on top of your macOS device encryption and key management without the headaches! management without the headaches!

Microsoft Graph API Permissions Required

Before running the script, you need to make sure the right permissions are granted in Azure AD. The script interacts with device data and encryption keys, so you’ll need the following permissions:

  • DeviceManagementManagedDevices.PrivilegedOperations.All: This permission allows the script to perform privileged operations on managed devices.
  • DeviceManagementManagedDevices.Read.All: This permission allows the script to read information about all managed devices in the organization.

These permissions need to be granted to the app registration you’re using or the user executing the script.

Breaking Down the Script

Now, let’s break the script down into its main parts to understand how it works.

1. Connecting to Microsoft Graph

First, the script establishes a connection to Microsoft Graph using the necessary scopes. This ensures that the script can retrieve device data and interact with the API securely.

# Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.Read.All"

In this case, Connect-MgGraph is used to authenticate to Microsoft Graph with the required permissions.

2. Fetching macOS Devices from Intune

The Get-GraphData function is responsible for querying the Graph API to fetch all macOS devices managed in Intune. It handles pagination to ensure that all devices are retrieved, even if the results are spread across multiple pages.

function Get-GraphData {
    param (
        [Parameter(Mandatory=$true)]
        [string] $url
    )
    $results = @()
    do {
        $response = Invoke-MgGraphRequest -Uri $url -Method GET
        if ($response.'@odata.nextLink' -ne $null) {
            $url = $response.'@odata.nextLink'
            $results += $response.value
        } else {
            $results += $response.value
            return $results
        }
    } while ($response.'@odata.nextLink')
}
  • Explanation: This function handles pagination (@odata.nextLink) and ensures that all devices are retrieved, even if there are multiple pages of data.

3. Checking FileVault Key Status

Once the macOS devices are retrieved, the script loops through each device and checks its encryption status. For devices that are encrypted, it attempts to fetch the FileVault key using another API call. If the key is not available, it assigns an appropriate status.

$vaultinformation = $macosdevices | ForEach-Object {
    $device = $_
    if ($device.isEncrypted -eq $true) {
        $urlfilevaultkey = "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$($device.id)')/getFileVaultKey"
        try {
            $response = Invoke-MgGraphRequest -Uri $urlfilevaultkey -Method GET
            $device.FileVaultKey = "Key is present in Intune"
        }
        catch {
            if ($_.Exception.Response.StatusCode -eq 404) {
                $device.FileVaultKey = "Key not present in Intune"
            } else {
                $device.FileVaultKey = "Personal Device Key not present in Intune"
            }
        }
    } else {
        $device.FileVaultKey = "Disk Not Encrypted"
    }
    # Output the device object with or without the FileVaultKey
    $device
}
  • Explanation: This section checks if the device is encrypted, and if it is, the script attempts to retrieve the FileVault key. If the key is not found, it handles the error and flags the device accordingly.

4. Generating the Markdown Report

This part of the script generates a markdown file that organizes devices into different categories: devices with a FileVault key, devices missing a key, non-encrypted devices, and personal devices.

function Generate-DeviceFileVaultKeyMarkdown {
    param (
        [Parameter(Mandatory=$true)]
        [array]$devices,
        [Parameter(Mandatory=$true)]
        [string]$outputPath
    )
    try {
        $tenant = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/organization" -Method GET
        $tenantinfo = "Tenant: $($tenant.value[0].displayName)"
        $dateString = Get-Date -Format "dddd, MMMM dd, yyyy HH:mm:ss"
        $markdownContent = ""
        $markdownContent += "# Device FileVault Key Information`n`n"
        $markdownContent += "$tenantinfo `n"
        $markdownContent += "Documentation Date: $dateString`n`n"

        # Devices with Key
        $devicesWithKey = $devices | Where-Object { $_.FileVaultKey -eq "Key is present in Intune" }
        $markdownContent += "## Devices with Key`n`n"
        $markdownContent += "Devices Count $($devicesWithKey.count)/$($devices.count)`n`n"
        $markdownContent += "| deviceName | isEncrypted | FileVaultKey | deviceEnrollmentType | id | managedDeviceName | managedDeviceOwnerType | osVersion | userDisplayName | userPrincipalName |`n"
        $markdownContent += "|------------|-------------|--------------|----------------------|----|-------------------|------------------------|-----------|-----------------|-------------------|`n"

        foreach ($device in $devicesWithKey) {
            $markdownContent += "| $($device.deviceName) | $($device.isEncrypted) | $($device.FileVaultKey) | $($device.deviceEnrollmentType) | $($device.id) | $($device.managedDeviceName) | $($device.managedDeviceOwnerType) | $($device.osVersion) | $($device.userDisplayName) | $($device.userPrincipalName) |`n"
        }

        # Repeat similar logic for devices with no key and non-encrypted devices

        $markdownContent | Out-File -FilePath $outputPath -Encoding utf8
        Write-Host "Markdown file generated successfully at $outputPath"
    }
    catch {
        Write-Error "An error occurred: $_"
    }
}
  • Explanation: The function generates a markdown report, organizing devices into categories based on their encryption and FileVault key status. It includes information like device names, whether they are encrypted, and whether the FileVault key is present.

5. CSV Export for Further Analysis

Finally, the script exports the gathered device data into a CSV file for further analysis or sharing.

$vaultinformation | Export-Csv -Path "DeviceFileVaultKeyInformation.csv"
  • Explanation: The CSV export provides a detailed data set that can be used for deeper analysis or integrated into other tools for further processing.

Putting It All Together

Here’s a summary of how the script flows:

  1. Connect to Microsoft Graph using the necessary permissions.
  2. Retrieve macOS devices from Intune using the Get-GraphData function.
  3. Check the encryption and FileVault key status for each device.
  4. Generate a report in markdown format with details about devices and their encryption status.
  5. Export the data to a CSV file for further analysis.

By using this script, IT admins can ensure that macOS devices in their organization are properly encrypted and that recovery keys are stored securely in Intune, avoiding potential data recovery issues. You can find the full script on my Github.

Example Markdown Report

Below you can find an example markdown report.

# Device FileVault Key Information

Tenant: CLOUDFLOW 
Documentation Date: Monday, October 21, 2024 15:56:23

## Devices with Key

Devices Count 2/6

| deviceName | isEncrypted | FileVaultKey | deviceEnrollmentType | id | managedDeviceName | managedDeviceOwnerType | osVersion | userDisplayName | userPrincipalName |
|------------|-------------|--------------|----------------------|----|-------------------|------------------------|-----------|-----------------|-------------------|
| CF-0789 | True | Key is present in Intune | appleBulkWithUser | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_MacOS_5/15/2023_10:59 AM | company | 14.5 (23F79) | Harry Potter | Harry.potter@cloudflow.be |
| CF-0789 | True | Key is present in Intune | appleBulkWithUser | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_MacOS_1/31/2023_5:15 PM | company | 14.5 (23F79) | Harry Potter | Harry.potter@cloudflow.be |

## Devices with No Key

Devices Count 2/6

| deviceName | isEncrypted | FileVaultKey | deviceEnrollmentType | id | managedDeviceName | managedDeviceOwnerType | osVersion | userDisplayName | userPrincipalName |
|------------|-------------|--------------|----------------------|----|-------------------|------------------------|-----------|-----------------|-------------------|
| CF-0789 | True | Key not present in Intune | userEnrollment | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Harry.potter_MacOS_8/31/2023_8:47 AM | company | 13.5.1 (22G90) | Harry Potter | Harry.potter@cloudflow.be |
| CF-0789 | True | Key not present in Intune | userEnrollment | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Harry.potter_MacOS_8/31/2022_4:18 PM | company | 14.4.1 (23E224) | Harry Potter | Harry.potter@cloudflow.be |
## Personal Devices

Devices Count 2/6

| deviceName | isEncrypted | FileVaultKey | deviceEnrollmentType | id | managedDeviceName | managedDeviceOwnerType | osVersion | userDisplayName | userPrincipalName |
|------------|-------------|--------------|----------------------|----|-------------------|------------------------|-----------|-----------------|-------------------|
| CF-0789 | True | Personal Device Key not present in Intune | userEnrollment | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Harry.potter_MacOS_7/31/2023_11:34 AM | personal | 14.5 (23F79) | Harry Potter | Harry.potter@cloudflow.be |
| CF-0789 | True | Personal Device Key not present in Intune | userEnrollment | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Harry.potter_MacOS_11/16/2023_10:02 PM | personal | 14.5 (23F79) | Harry Potter | Harry.potter@cloudflow.be |

Conclusion

Managing macOS encryption keys doesn’t have to be a stressful task! This PowerShell script takes the hassle out of the process by automatically checking which devices are encrypted and ensuring their FileVault keys are securely stored in Intune. With a quick report, you can save time, avoid panic when an exec needs their key, and stay on top of your device security. Plus, the clear markdown and CSV reports make reviewing everything a breeze.

Feedback is always welcome, so if you have ideas for improvement or run into any issues, feel free to reach out! Let’s keep things secure and simple.

Leave a Reply

Your email address will not be published. Required fields are marked *