Retrieving a laptop FileVault Recovery Key with Okta Workflows
Introduction
Something every company runs into is user account lockouts. Whether it be a recent change, return from vacation, or as simple as typing it incorrectly on accident, we’ve all dealt with how frustrating it can be to be locked out and prevented from doing work. After a particularly rough week for our users, I decided to do something about it and build a self-service mechanism to help them get back into their laptops without even needing to wait for IT. Obviously this comes with security concerns so I decided to leverage Okta Verify, an application all our users already have installed and are familiar with, to verify their identity prior to giving them access. A combination of Slack, Okta Workflows, and Kandji (our MDM of choice, you can substitute your own) went into making it possible for our users to almost never have to wait for IT to help regain access to their locked laptops or reset their passwords.
I want to acknowledge two people who helped immensely with this:
Jacob Waters who is an outstanding IT resource and all-around swell guy. He and I had some great back and forth about the logic of this and many other workflows we’ve discussed. He can be found @JacobW in the MacAdmins Slack and on LinkedIn here: Jacob Waters
Gabriel Sroka who pointed me to the possibility of hooking into Okta Verify when my first thought was “Well, crap. We can’t give out sensitive information without verifying their identity. I wonder if this is possible?”. His work on the Rockstar chrome extension showed me what was possible to do with the Okta Factors API. He can be found @Gabriel Sroka on MacAdmins Slack and on LinkedIn here: Gabriel Sroka. Highly recommend taking a look at Rockstar if you’re an Okta Admin.
Okta Workflows Setup Pt. 1
The first thing you’ll want to do is import the the Okta Workflows folder I’ve provided here.
After importing the flows, open Flow 2 labeled “2. Send Slack Confirmation to User”. In the lower right corner of the API endpoint trigger card is a button that looks like this: <\>
Click that button and copy the Invoke URL, we’ll need that URL in our next steps.
API Endpoint Configuration
Slack Setup
Now that we’ve got a few pieces from Okta Workflows let’s move onto Slack. Open up the Slack Apps page at https://api.slack.com/apps and click “Create New App”. You’ll receive a pop-up asking you to name your App and select the workspace you want to develop it for. Don’t worry, you can re-name your App later if you aren’t happy with the one you’ve chosen.
Slack App naming modal
Once you’ve done that you’ll be on the Basic Information screen, we’ll want to navigate to the “Interactivity & Shortcuts” page from the left menu bar.
On the Interactivity & Shortcuts page is where we’ll need that Invoke URL from the API Endpoint configuration we did earlier. Click the toggle in the upper right corner to enable Interactivity and then paste the invoke URL into the “Request URL” field then click Save Changes in the lower right corner
Next we’ll navigate to the “OAuth & Permissions” page from the left menu bar.
On this page we’ll configure what permissions our Slack App has. Scroll down to the Scopes section and click the Add an OAuth Scope button under "Bot Token Scopes”. You’ll want to add the “im:write”, “im:history”, and “im:read” scopes as our app will need to be privately messaging people since we don’t want recovery keys available in public channels. We then need to scroll back up to the top of the page and click the Install to Workspace button under “OAuth Tokens for Your Workspace”. Once you’ve authorized the install you’ll see a Bot User OAuth Token, copy that and save it as we’ll need it soon!
Okta Workflows Setup Pt. 2
Time to build our API Connector! Navigate back to Okta Workflows and move to the Connections tab followed by clicking the New Connection button in the top left. You’ll select the API Connector type and name it however you prefer. I typically name mine with the App it is connecting to and the purpose, so in this example I might name it “Slack - Laptop FVRK Retrieval”. For the Auth type you’ll select Custom. In the Header Name put “Authorization” (without the quotes) and for the Header Value put in “Bearer <your bearer token here>” (without the quotes or brackets).
Since we’ve now added our connector, we can go through each of the flows and ensure that the custom API card is using our “Slack - Laptop FVRK Retrieval” connector. You’ll find these cards in Flow 1, 2, and 6.
With that, the setup is done! Our flows should now be complete. You’ll need to adjust Flow #1 to your preferred or available trigger method ensuring that you can retrieve Okta user data to link the user. Below is a flowchart of the workflow logic
Closing Thoughts
This can be improved. A lot. This was an evening project for me after inspiration struck while I was out walking the dogs and an employee got locked out of their laptop. Are there security concerns for this tool? Absolutely, and those are things I’ll be looking at to iterate on in the future. Overall I think this largely benefits employees and opens up a narrow but acceptable attack vector. I strive to not let perfect be the enemy of good, and this is one tool that follows that mantra.
Feel free to reach out to me at @Dmitri Altum on MacAdmins Slack, through my site here, or on LinkedIn at Dmitri Altum. I’m more than happy to answer questions or take criticism/feedback on the flow!
