Solved

Please, help me with FileVault :(

Forum|Forum|6 years ago
April 16, 2019
9 replies
62 views

+10

glpi-ios
Valued Contributor

Hello,

I need your help because Filevault will drive me crazy.

We have about 1300 Macs (10.11.x to 10.14.x)

We have only AD accounts (without admin permissions) and the only local admin account is the one that is using for Jamf management

FileVault is not enabled and the only Secure Token account existing on MacOS 10.13.4+ is le Jamf management account.

I need to be able to enable FileVault and make it as silently as possible to the end user.

I read dozens of documentations including :

FileVault-on-macOS-10.14-or-Later

FileVault-on-macOS-10.11-10.12

But I can not do anything ...
Errors, FileVault not enabled, ...

Please, can you point me to the best way to proceed.

Thank you for your help

Best answer by kerouak

drop me an email and I'll send you details
r.mcandrew@arts.ac.uk

+15

sshort
Valued Contributor
Forum|Forum|6 years ago
April 16, 2019

Check out some of the updates regarding secureToken and Filevault in this article: https://travellingtechguy.eu/mojave-10-14-2-and-secure-tokens-it-works/

+10

glpi-ios
Author
Valued Contributor
Forum|Forum|6 years ago
April 17, 2019

Hello,
Thank you for your reply,

Indeed, I already read this article (very interesting).
Today I have positions of which the only Secure Token account existing on MacOS 10.13.4+ is le Jamf management account.

The rest are AD accounts, so do not have a Secure Token.
As I understand it, Enable Filevault for the Account Management does not work or is not recommended.

Therefore, how can I do without having to physically switch to all computers to create another local account ?

It seems very complicated to me ...

Thanks

+13

kerouak
Valued Contributor
Forum|Forum|6 years ago
April 17, 2019

Does th emanagement account have a secure token??
if you run: sysadminctl -secureTokenStatus username_goes_here

And it indeed does have a secure token, I can help you with a script that will enable filevault without administrartor intervention?

+10

glpi-ios
Author
Valued Contributor
Forum|Forum|6 years ago
April 17, 2019

Hello @kerouak ak

Thank you for taking the time to respond.
Yes, I confirm that my Jamf management account is Secure Token (I had created an extension attribute to put Secure Token accounts on 10.13.4+ computers).

I am interested in your solution if it does not take you too much time to share your script.

Thank you,

+13

kerouak
Valued Contributor
Answer
Forum|Forum|6 years ago
April 17, 2019

drop me an email and I'll send you details
r.mcandrew@arts.ac.uk

+10

glpi-ios
Author
Valued Contributor
Forum|Forum|6 years ago
April 17, 2019

Thanks for your help and thanks @kerouak, your script works very well.

Now I just have to validate with my hierarchy the fact of temporarily having the admin account password in clear in order to set up this workflow.
But if there are no other solutions, I think we will have no choice.

Thanks

+17

bwiessner
Valued Contributor
Forum|Forum|6 years ago
April 17, 2019

@glpi-ios can you post the script ? You do not have to do password in clear text - you can use encrypted strings - https://github.com/jamf/Encrypted-Script-Parameters

+13

kerouak
Valued Contributor
Forum|Forum|6 years ago
April 17, 2019

@bwiessner it's not in the script, it's in the JSS

+10

glpi-ios
Author
Valued Contributor
Forum|Forum|6 years ago
April 17, 2019

@bwiessner The script belongs to @kerouak , I prefer that it is him who makes public the script if it considers necessary.

In fact, the script generates a .plist file in /private/tmp for a few seconds which contains in clear the admin login and password

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded