+23Before reinventing the wheel, I'd like to ping the community to see if anyone has already done this...
I need to turn off FileVault on select Macs. fdesetup has a "disable" verb, but it asks for a password/recovery key interactively.
Before I put on my R&D hat and dig in, has anyone already tackled scripting this process?
Thanks!
(screenshot of fdesetup disable process attached)
+23
+7@milesleacy if these Macs have a common Admin account that is a FV User and you know the password, it can be scripted.
#!/bin/sh
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Password</key>
<string>AdminPassword</string>
</dict>
</plist>' > /Users/Shared/filevault.plist
fdesetup disable -inputplist < /Users/Shared/filevault.plist
rm /Users/Shared/filevault.plistIf you do not have access to a FV enabled User's password or the Recovery Key, it would be difficult to script w/o user interaction.
+23Great! Thanks @bkramps . That script is exactly what I was hoping to avoid building from scratch.
Delivering this feature request would make it easier...
Add ability to report on FV2 Recovery Keys (and/or access them via API)
Although, it's really just a halfway point to delivering my feature request above.
+5@milesleacy Hey Miles,
Want to also point out @rtrouton work with fdesetup. https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/
It talks about disabling and enabling fdesetup in detail.
+23Thanks @JasonkMiller ! I'm well familiar with @rtrouton 's fine FileVault write-ups and enthusiastically recommend them to anyone who needs to know how Apple's encryption system works.
Funnily enough, I had a request during my CCA class from one of my classmates for a script which disabled encryption via Self Service. I wrote this post and associated expect script in response:
+23@rtrouton Nifty, but the goal is to have the JSS provide the recovery key, since it's already stored there. User interaction is a show stopper.
modifying @bkramps solution to feed the xml with an API call would be nice, but that comes back to the other, as-yet undelivered, feature request.
It seems that with currently-available tools, disabling FileVault without user interaction is not an option.
Well, at least not in a supportable workflow...
+8I made som minor changes to the plist.
This works for me
#!/bin/bash
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>AdminUser</string>
<key>Password</key>
<string>AdminPassword</string>
</dict>
</plist>' > /tmp/filevault.plist
fdesetup disable -inputplist < /tmp/filevault.plist
rm /tmp/filevault.plistEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
