Skip to main content
Question

Best approach to reset a PW *and* enable it for FV?

  • May 5, 2016
  • 2 replies
  • 21 views
T
Forum|alt.badge.img+15

Hit a snag last week that we didn't realize at first.

So all machines in "Department A" have a local admin account for helpdesk use, we'll call it "Admin" This policy is enabled for FV access on the laptops, again, for helpdesk troubleshooting use as needed.

Due to staff turnover, we changed the password via a Casper policy. All appeared to go well, until this week when machines started being rebooted. It appears that FileVault is still unlock able by the OLD password, but not by the new one.

When setting up a policy, under the "Local Accounts" section, you can choose "Reset account password", but there is no option there to enable for FV... that checkbox only exists if you tell it to "Create account". But if I select that, and attempt to "over-write" an existing account, I get an error.

Anyone have recommendations for the best approach here? This was only one department, but I anticipate this being a semi-regular request from other departments over time.

    2 replies

    T
    Forum|alt.badge.img+15
    • thoule
    • Contributor
    • May 5, 2016

    I use fdesetup to change it. First I create a second account, then enable it for FileVault. Then remove the account with the bad password. Then I add that Admin account back in. Finally, I delete my temp account. You can script this all backend if you know the existing filevault password.

    1) add a user and add to filevault

    /usr/local/bin/jamf createAccount -username fdetemp -realname EncryptionTemp -password abcdefg1

    create xml file to add temp user to FV.

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>Admin</string>
<key>Password</key>
<string>OldFVPasswordGoesHere</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>fdetemp</string>
        <key>Password</key>
        <string>abcdefg1</string>
    </dict>
</array>
</dict>
</plist>

    Apply that XML file

    fdesetup add -inputplist < /tmp/xmlfile.xml

    2) Delete bad user from filevault

    fdesetup -remove -user Admin

    3) Generate an XML file then Add admin back with good password

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>fdetemp</string>
<key>Password</key>
<string>abcdefg1</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>Admin</string>
        <key>Password</key>
        <string>NewPassGoesHere</string>
    </dict>
</array>
</dict>
</plist>

    Apply that xml file

    fdesetup add -inputplist < /tmp/xmlfile.xml

    Delete the temp user

    /usr/local/bin/jamf deleteAccount -username fdetemp -deleteHomeDirectory
    T
    Forum|alt.badge.img+15
    • Taylor_Armstron
    • Author
    • Valued Contributor
    • May 5, 2016

    Thanks.... that aught to do the trick.

    Ugh. Hey JAMF - how about a checkbox? ;)

    I'll take a look. Fortunately the username is the same across departments, just the PW that changes, so setting a template up wouldn't be too onerous.

    Terms & ConditionsCookie settingsAccessibility statement