Skip to main content

There are plenty of scripts to address this issue when the management account is not enabled for FV2.



Many of our Macs were FV2-encrypted before we got Jamf. And my predecessor made sure to enable his local admin account for FV2 on those Macs, so he could log into them locally.



Now all our Macs are enrolled in Jamf, and we have admin access to FileVault, but the FV2 recovery key isn't escrowed.



It should be possible to fix this without user interaction. If I were sitting in front of one of these Macs, I'd use:



fdesetup changerecovery -personal

sudo jamf recon


In fact, for the machines that are on my LAN, I've just connected over SSH and run those commands. (The first command prompts for a password, so the script will have to listen for the prompt and respond. And I should probably encrypt the password to prevent any users from intercepting it.)



Is there a script that already does this? Again, I'm looking for a script that does NOT require user interaction. Users hate to see things pop up on their desktops.

@stevenjklein Jamf provides a script on github, you can tweak it and make it non-interactive if you have a management account & it is filevault enabled.



https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh



Take lines 151 to 179 & change the userName & userPass variables in the script to point to jamf parameters in a policy hosting the script that reflects your management accounts credentials (instead of prompting the user for the password) that is FV2 enabled, pass them securely & the script will then run silently in the background on end users devices. https://github.com/jamf/Encrypted-Script-Parameters 



if [[ $OS -ge 9 ]] &&  [[ $OS -lt 13 ]]; then

## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output

result=$(expect -c "

log_user 0

spawn fdesetup changerecovery -personal

expect "Enter a password for '/', or the recovery key:"

send {${userPass}}   

send 

log_user 1

expect eof

" >> /dev/null)

elif [[ $OS -ge 13 ]]; then

result=$(expect -c "

log_user 0

spawn fdesetup changerecovery -personal

expect "Enter the user name:"

send {${userName}}   

send 

expect "Enter a password for '/', or the recovery key:"

send {${userPass}}   

send 

log_user 1

expect eof

")

else

echo "OS version not 10.9+ or OS version unrecognized"

echo "$(/usr/bin/sw_vers -productVersion)"

exit 5

fi


also, don't forget to update the preboot volume at the end if machines are apfs



sudo diskutil apfs updatePreboot /

Thanks to OP for that fix... that was good enough to handle the few cases I had. Didn't need to deploy the fix on a massive scale.

Reply


Terms & ConditionsCookie settings