From f253475b329ac097f4b29ce91304f4586a6526b3 Mon Sep 17 00:00:00 2001
From: Roberto Dip <me@roperzh.com>
Date: Fri, 31 Mar 2023 12:45:25 -0300
Subject: [PATCH] fix osquery query used to determine MDM disk encryption
 status (#10901)

---
 server/service/osquery_utils/queries.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
index a8163f37bc..1d715a3738 100644
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@@ -572,8 +572,7 @@ var mdmQueries = map[string]DetailQuery{
 		// > location at any time.
 		//
 		// [1]: https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow
-		Query: fmt.Sprintf(`SELECT to_base64(group_concat(line, x'0a')) as filevault_key,
-						(%s) as encrypted FROM file_lines WHERE path='/var/db/FileVaultPRK.dat'`, usesMacOSDiskEncryptionQuery),
+		Query:            fmt.Sprintf(`SELECT to_base64(group_concat(line, x'0a')) as filevault_key, COALESCE((%s), 0) as encrypted FROM file_lines WHERE path='/var/db/FileVaultPRK.dat'`, usesMacOSDiskEncryptionQuery),
 		Platforms:        []string{"darwin"},
 		DirectIngestFunc: directIngestDiskEncryptionKeyDarwin,
 		Discovery:        discoveryTable("file_lines"),