+1Hi folks,
I have combed thru the white paper on Mtn Lion using FV 2.
I see how the target user is chosen at the time of deployment, either mgmt acct/current/next user. Keys are generated stored based on any of those 3 settings. What I dont see described is how continued administration is done. For example if I wanted to add/delete a user or AD group on the fly, how can that be done? Can that be done?
Best answer by rich.trouton
Once the Mac is encrypted, you can add / delete a user using the following fdesetup commands. You will not be able to add groups.
In all cases where you're adding a user with fdesetup, you will need to have the username and password of both the account you want to add as well as the username and password of an FileVault 2-enabled account already on the Mac in question.
To add: sudo fdesetup add -usertoadd username_here
This is an interactive process with prompts. You would need to provide both the username and password of a previously enabled account as well as the password of the account you want to add.
If you want to use a non-interactive script, you can set up a plist file with the information you want to use and have fdesetup import the plist.
sudo fdesetup add -inputplist < /path/to/filename.plist
The plist would need to follow the format available at the following link: http://pastie.org/4673195
When adding additional users using a plist file, the top level Username key is ignored, and the Password key value should either be an existing FileVault user’s password or the recovery key. Additional users can be added as needed by adding additional user information under the AdditionalUsers plist key.
Note: All account passwords need to be supplied in cleartext.
You can remove users from the list of FileVault enabled accounts by using either their username or the account’s UUID. When removing accounts, you do not need to provide account passwords.
To remove the account using the username, run the following command:
sudo fdesetup remove -user username_here
To remove the account using the account’s UUID, run the following command:
sudo fdesetup remove -uuid UUID_here
You can get both the usernames and UUID by running the following command:
sudo fdesetup list
The User Accounts listing in the machine's inventory on the JSS should also show which user accounts are enabled. If enabled, the FileVault Enabled line should show as true.
Once the Mac is encrypted, you can add / delete a user using the following fdesetup commands. You will not be able to add groups.
In all cases where you're adding a user with fdesetup, you will need to have the username and password of both the account you want to add as well as the username and password of an FileVault 2-enabled account already on the Mac in question.
To add: sudo fdesetup add -usertoadd username_here
This is an interactive process with prompts. You would need to provide both the username and password of a previously enabled account as well as the password of the account you want to add.
If you want to use a non-interactive script, you can set up a plist file with the information you want to use and have fdesetup import the plist.
sudo fdesetup add -inputplist < /path/to/filename.plist
The plist would need to follow the format available at the following link: http://pastie.org/4673195
When adding additional users using a plist file, the top level Username key is ignored, and the Password key value should either be an existing FileVault user’s password or the recovery key. Additional users can be added as needed by adding additional user information under the AdditionalUsers plist key.
Note: All account passwords need to be supplied in cleartext.
You can remove users from the list of FileVault enabled accounts by using either their username or the account’s UUID. When removing accounts, you do not need to provide account passwords.
To remove the account using the username, run the following command:
sudo fdesetup remove -user username_here
To remove the account using the account’s UUID, run the following command:
sudo fdesetup remove -uuid UUID_here
You can get both the usernames and UUID by running the following command:
sudo fdesetup list
The User Accounts listing in the machine's inventory on the JSS should also show which user accounts are enabled. If enabled, the FileVault Enabled line should show as true.
+24Can't you use the -defer flag when adding users so you don't have to have a password in a script?
You can use -defer when you're first activating FileVault 2 encryption, but you can't use it afterwards.
An important thing to keep in mind about the -defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The -defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.
+24Hmm. Okay. I smell a feature request. It would be great to have an "add this user to FileVault" Self Service item if fdesetup would support -defer after the initial encryption.
Casper's FileVault 2 management in Mountain Lion is built on fdesetup, so Apple's bug report site is the best place to file fdesetup-related feature requests:
+11Is there an prior/additional step beyond creating institutional key, uploading to JSS, and triggering a policy to the clients that is needed here? All I get on following steps in the whitepaper is "Error encrypting disk: Could not encrypt the disk because a required dependency was not found."
+24FV2 requires a Recovery HD partition. Check to make sure the clients where you're getting that error have one. Do 'diskutil list' in Terminal. The Recovery HD shows up there, usually as disk0s3.
clifhirtle,
Are you encrypting Macs running 10.8.x? Casper's FileVault management solution does not work on Lion.
+11Thanks guys. Totally overlooked late PM reimage to 10.7.4 and kept operating on prior 10.8 mode. That was it. Thanks for reminding to 'check the tank.'
+3"""
If you want to use a non-interactive script, you can set up a plist file with the information you want to use and have fdesetup import the plist.
sudo fdesetup add -inputplist < /path/to/filename.plist
"""
Using the plist method above, is it possible to use the institutional recovery key instead of the currently enabled user's key? If not, do you have any idea if there would be a feasible way to use the JSS API or jamf binary to extract the current user's recovery key?
chappj01,
You'll need to decrypt the Mac before you'll be able to change recovery key. As for extracting the existing recovery key, unfortunately I don't believe there's a way to do that. Either the user will need to give it to you, or you'll need to decrypt / re-encrypt to make it generate a new recovery key.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
