Hello,
Lately in our environment, our local management account on Mac has lost the ability to log in because it is no longer Filevault unlockable. When we set up our Macs, we enable FileVault via Jamfs config profile and policy using DEPNotify. Once DEPNotify is complete, we manually run this script to enroll the local management account to FileVault:
#!/bin/bash
admin_account="${4}"
admin_password="${5}"
status=$(sysadminctl -secureTokenStatus ${admin_account} 2>&1 | awk '{print $7}')
filevault=$()
if [[ "${status}" == "DISABLED" ]]; then
if [[ $? = 0 ]]; then
userName=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
triesCount=0
while true; do
## Prompt for Password
userPass=$(osascript << EOL
tell application "System Events" to text returned of (display dialog "Please enter your Mac login password to complete configuration of FileVault 2. Contact your IT Support Team if you have any questions. Thank you." default answer "" buttons {"OK"} default button 1 with hidden answer)
EOL
)
dscl . authonly "${userName}" "${userPass}" &> /dev/null; resultCode=$?
if [ "$resultCode" -eq 0 ];then
echo "Password Check: PASSED"
sysadminctl -secureTokenOn "${admin_account}" -password "${admin_password}" -adminUser "${userName}" -adminPassword "${userPass}"
cat << EOF > /tmp/inputplist.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>${userName}</string>
<key>Password</key>
<string>${userPass}</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>${admin_account}</string>
<key>Password</key>
<string>${admin_password}</string>
</dict>
</array>
</dict>
</plist>"
EOF
fdesetup add -inputplist < /tmp/inputplist.plist
rm /tmp/inputplist.plist
break
else
# Prompt for User Password
echo "Password Check: WRONG PASSWORD"
triesCount=$((triesCount+1))
if [[ ${triesCount} -gt 3 ]]; then
"${jamfHelper}" -windowType utility -title "Filevault" -heading "FileVault requires your attention" -description "There was a problem validating your password. Please contact IT." -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" -button1 "OK" -defaultButton 1
break
fi
fi
done
fi
fi
We are able to see the the management account under "sudo fdesetup list". It is after a few days or weeks where the account is no longer under that list.
It is for sure that we do not uneroll this user from Filevault and users do not have the knowledge to do so, at least in this large quantities. This even happened on my Mac where I can guarantee I did not do such thing.
We do use EasyLaps for this management account. Not sure if that has anything to do with this issue but it is a detail.