Hi Jamf Community,
i have been trying to setup a search for all devices that dont have a personal recovery key set . Unfortunately there is no such option. Then i thought i could just check if the Filevault Encryption is "Valid". This would be great but, some of the devices in my jamf network dont have a recovery key set, but are encrytped. I was trying to figure out how to search for all of these devices so i could issue a new key for them. Is there any way to do this ?
Thanks ahead,
Raffael
Don´t know if it works anymore, but you have to setup an extension attribute:
Check the status of the encryption:
#!/bin/bash
CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"
osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')
# Checks to see if the OS on the Mac is 10.x.x. If it is not, the
# following message is displayed without quotes:
#
# "Unknown Version Of Mac OS X"
if [[ ${osvers_major} -ne 10 ]]; then
echo "<result>Unknown Version Of Mac OS X</result>"
fi
# Checks to see if the OS on the Mac is 10.7 or higher.
# If it is not, the following message is displayed without quotes:
#
# "FileVault 2 Encryption Not Available For This Version Of Mac OS X"
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 7 ]]; then
echo "<result>FileVault 2 Encryption Not Available For This Version Of Mac OS X</result>"
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 7 ]] && [[ ${osvers_minor} -lt 13 ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
# If the Mac is running 10.7 through 10.12, but the boot volume
# is not a CoreStorage volume, the following message is
# displayed without quotes:
#
# "FileVault 2 Encryption Not Enabled"
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 through 10.12 and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 || ${osvers_minor} -eq 8 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Size \\(Converted\\)/ {print $5,$6;exit}'`
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 9 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
fi
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size \\(Total\\)/ {print $5,$6;exit}'`
# This section does 10.7-specific checking of the Mac's
# FileVault 2 status
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 ]]; then
if [ "$CONTEXT" = "Present" ]; then
if [ "$ENCRYPTION" = "AES-XTS" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
echo "<result>FileVault 2 Encryption Status Unknown. Please check.</result>"
fi
fi
fi
else
if [ "$ENCRYPTION" = "None" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.8.x through 10.10.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 8 ]] && [[ ${osvers_minor} -lt 11 ]]; then
if [[ "$ENCRYPTIONEXTENTS" = "No" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTIONEXTENTS" = "Yes" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Fully Secure/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.11.x through 10.12.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]] && [[ ${osvers_minor} -lt 13 ]]; then
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then
# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+
boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type \\(Bundle\\)/ {print $3}')
# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.
if [[ "$boot_filesystem_check" = "apfs" ]]; then
# If encrypted, the following message is
# displayed without quotes:
# "FileVault is On."
#
# If encrypting, the following message is
# displayed without quotes:
# "Encryption in progress:"
# How much has been encrypted of of the total
# amount of space is also displayed.
#
# If decrypting, the following message is
# displayed without quotes:
# "Decryption in progress:"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If not encrypted, the following message is
# displayed without quotes:
# "FileVault is Off."
ENCRYPTSTATUS=$(fdesetup status | xargs)
if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
ENCRYPTSTATUS=$(fdesetup status | head -1)
echo "<result>$ENCRYPTSTATUS</result>"
else
ENCRYPTSTATUS=$(fdesetup status | tail -1)
echo "<result>$ENCRYPTSTATUS</result>"
fi
fi
if [[ "$boot_filesystem_check" = "hfs" ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 or higher and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size \\(Total\\)/ {print $5,$6;exit}'`
# This section does checking of the Mac's FileVault 2 status if the boot drive is formatted with HFS+
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
else
echo "<result>Unknown filesystem.</result>"
fi
fi
fi
# Remove the temp files created during the script
if [ -f "$CORESTORAGESTATUS" ]; then
rm -f "$CORESTORAGESTATUS"
fi
if [ -f "$ENCRYPTSTATUS" ]; then
rm -f "$ENCRYPTSTATUS"
fi
if [ -f "$ENCRYPTDIRECTION" ]; then
rm -f "$ENCRYPTDIRECTION"
fi
exit 0Then create a smart group like this:
just modify the settings in the smart group like you want.
Don´t know if it works anymore, but you have to setup an extension attribute:
Check the status of the encryption:
#!/bin/bash
CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"
osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')
# Checks to see if the OS on the Mac is 10.x.x. If it is not, the
# following message is displayed without quotes:
#
# "Unknown Version Of Mac OS X"
if [[ ${osvers_major} -ne 10 ]]; then
echo "<result>Unknown Version Of Mac OS X</result>"
fi
# Checks to see if the OS on the Mac is 10.7 or higher.
# If it is not, the following message is displayed without quotes:
#
# "FileVault 2 Encryption Not Available For This Version Of Mac OS X"
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 7 ]]; then
echo "<result>FileVault 2 Encryption Not Available For This Version Of Mac OS X</result>"
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 7 ]] && [[ ${osvers_minor} -lt 13 ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
# If the Mac is running 10.7 through 10.12, but the boot volume
# is not a CoreStorage volume, the following message is
# displayed without quotes:
#
# "FileVault 2 Encryption Not Enabled"
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 through 10.12 and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 || ${osvers_minor} -eq 8 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Size \\(Converted\\)/ {print $5,$6;exit}'`
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 9 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
fi
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size \\(Total\\)/ {print $5,$6;exit}'`
# This section does 10.7-specific checking of the Mac's
# FileVault 2 status
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 ]]; then
if [ "$CONTEXT" = "Present" ]; then
if [ "$ENCRYPTION" = "AES-XTS" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
echo "<result>FileVault 2 Encryption Status Unknown. Please check.</result>"
fi
fi
fi
else
if [ "$ENCRYPTION" = "None" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.8.x through 10.10.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 8 ]] && [[ ${osvers_minor} -lt 11 ]]; then
if [[ "$ENCRYPTIONEXTENTS" = "No" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTIONEXTENTS" = "Yes" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Fully Secure/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.11.x through 10.12.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]] && [[ ${osvers_minor} -lt 13 ]]; then
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then
# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+
boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type \\(Bundle\\)/ {print $3}')
# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.
if [[ "$boot_filesystem_check" = "apfs" ]]; then
# If encrypted, the following message is
# displayed without quotes:
# "FileVault is On."
#
# If encrypting, the following message is
# displayed without quotes:
# "Encryption in progress:"
# How much has been encrypted of of the total
# amount of space is also displayed.
#
# If decrypting, the following message is
# displayed without quotes:
# "Decryption in progress:"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If not encrypted, the following message is
# displayed without quotes:
# "FileVault is Off."
ENCRYPTSTATUS=$(fdesetup status | xargs)
if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
ENCRYPTSTATUS=$(fdesetup status | head -1)
echo "<result>$ENCRYPTSTATUS</result>"
else
ENCRYPTSTATUS=$(fdesetup status | tail -1)
echo "<result>$ENCRYPTSTATUS</result>"
fi
fi
if [[ "$boot_filesystem_check" = "hfs" ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 or higher and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size \\(Total\\)/ {print $5,$6;exit}'`
# This section does checking of the Mac's FileVault 2 status if the boot drive is formatted with HFS+
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
else
echo "<result>Unknown filesystem.</result>"
fi
fi
fi
# Remove the temp files created during the script
if [ -f "$CORESTORAGESTATUS" ]; then
rm -f "$CORESTORAGESTATUS"
fi
if [ -f "$ENCRYPTSTATUS" ]; then
rm -f "$ENCRYPTSTATUS"
fi
if [ -f "$ENCRYPTDIRECTION" ]; then
rm -f "$ENCRYPTDIRECTION"
fi
exit 0Then create a smart group like this:
just modify the settings in the smart group like you want.
Hey mickl089,
thanks for your quick reply. I have seen this post myself, but 1. i cant confirm if its outdated and 2. This dosent check if a key present. As i already said some of my users have an invalid or unknown Filevault 2 Setup but still have a key, or even the other way round. They have no Key but the Disk is Encrypted. I guess it will boil down to manually searching for them.
Thanks,
Raffael
@Raffael , I've attached an image of the smart group I use to find keys in my Org which are not valid. I can verify it works. If you set it up like this, mind the parentheses. I exclude Mac minis in our environment because they're desktops. So, if you have iMacs or other desktops, you may want to exclude those. Up to you. Hope it helps. 
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.