add user to filevault not working with 10.13

tcandela
Valued Contributor II

Has anyone else encountered the issue with a policy that creates a new user and enables it in filevault, NOT enabling the account in filevault?

it creates the account but errors when enabling it for filevault!! (so i enabled it manually).

the same policy worked with no issues in 10.12

19 REPLIES 19

LovelessinSEA
Contributor II

Yeah,

I'm no longer able to enable filevault for users or update the filevault password for our local-admin account. Kind of a big issue for us because the local-admin password successfully changes for the user but not for FV2, which means our FV2 password and local account password no longer are syncing after our 90 password rotations.

tcandela
Valued Contributor II

looks like if you upgrade from 10.12 to 10.13 your filevault2 accounts are not affected.

blinvisible
Contributor

Correct, existing accounts during an upgrade should be fine. The combination of affecting factors seems to be:

a) macOS 10.13+
b) APFS
c) new command line-created user account
d) attempting to add that account as a FV2-enabled user

tcandela
Valued Contributor II

I wonder if JAMF is going to deal with this 'secure token' with policies that create new users and want them filevault enabled.

donmontalvo
Esteemed Contributor III

@tcandela my fear is Jamf is "no longer developing Jamf Pro 9.x", so we may be abandoned with this very important functionality not functional.

--
https://donmontalvo.com

tcandela
Valued Contributor II

with new OS release there is always something that gets targeted for changes

tcandela
Valued Contributor II

Using JSS 9.101.0
I have a configuration profile that enables FileVault2 on the next logs off, and it redirects the individual recovery key to the JSS. This worked fine with 10.12. The profile automatically redirects recovery key to the JSS

This is the first 10.13 system that I have enrolled straight out of the box, the config profile worked, but not all of it, the individual recovery key says 'UNKNOWN' instead of 'valid'

Macintosh HD (Boot Partition)
Last Inventory Update: Yesterday at 3:59 PM
FileVault 2 Partition Encryption State: Encrypted
Individual Recovery Key Validation: Unknown
Institutional Recovery Key: Not Present

the Management Tab has the payload for FileVault 2 as 'Not Configured' so i don't see a recovery key

is anybody else not seeing the recovery key getting redirected to the JSS ?

macOS 10.13 High Sierra and Filevault Recovery Key Escrow in JSS 9.101.0

blinvisible
Contributor

Recovery Key redirection works differently under 10.13. You will need two configuration profiles, one for 10.13+ and one for previous versions of macOS. See this discussion:

https://www.jamf.com/jamf-nation/discussions/25558/macos-10-13-high-sierra-and-filevault-recovery-ke...

tcandela
Valued Contributor II

@blinvisible trying it now for 10.13.

the config profile is now on the test laptop, but nothing happens regarding FV2. Is the user supposed to turn on FV2 on their own from system preferences?

does the personal recovery key stay the same if multiple users are FV2 enabled on the same laptop ?

my previous config profile i have both the 'security & Privacy' & 'filevault recovery key redirection' payloads configured .

blinvisible
Contributor

There is only one Individual Recovery Key at a time, regardless of how many FileVault-enabled users there are.

I believe you'll only get a Recovery Key in escrow when:
a) encryption is initiated by the Jamf server using a Disk Encryption Configuration scoped to the device(s)
b) an appropriately configured Configuration Profile with key redirection is also scoped to the device(s) when encryption is initiated.

...and you will not get a Recovery Key redirected to the server from user-initiated encryption, or applying a key redirection Configuration Profile to an already in-progress or fully encrypted device.

tcandela
Valued Contributor II

@blinvisible yes, iv'e been looking at the JAMF discussion

I have a FV2config profile that works on 10.12. and earlier (this only goes on 10.12 10.11 10.10 systems) ?

but now it looks like i'll need a brand new FV2 config profile for fresh new 10.13 systems. (this will only go on 10.13 systems ?)

I created the new FV2 config profile for 10.13 (just like that other discussion talks about in its very first comments by @a.stonham ) but when the config profile gets installed on the laptop, nothing regarding FV2 happens. The laptop doesn't start encrypting. What/when starts the encryption process after the config profile gets installed?

blinvisible
Contributor

The "FileVault Recovery Key Redirection" and "Enable Escrow Personal Key Recovery" Configuration Profiles do not begin the encryption process. Their only purpose is to have the generated Recovery Key put into escrow when encryption is initiated.

The actual process of encryption is initiated by the combination of a Disk Encryption Configuration and a Policy, not by Configuration Profile. See the sections "Managing Disk Encryption Configurations" and "Deploying Disk Encryption Configurations" in the JSS 9.101.0 Administrator's Guide.

http://docs.jamf.com/9.101.0/casper-suite/administrator-guide/Settings_and_Security_Management.html

tcandela
Valued Contributor II

@blinvisible my 10.12 FV2 config profile kicks off the encryption when the user logs off. I don't have a policy associated with it. I have the 'if not already enabled, FV2 will be enabled on next logout' checked in the config profile.

I'll check out that guide

Micah_Smith
New Contributor II

Out of curiosity, has the process of adding users to FV2 via policy been figured out for 10.13.x?
Adding them manually is a bit of a chore...

blinvisible
Contributor

@Micah.Smith Not via native Jamf policy, that I'm aware of. I have a custom script that runs via policy that performs the task under most circumstances.

dgreening
Valued Contributor II

@Micah.Smith

Depends on what you mean by "Users". If it is a user(s) which you know the password for, it is pretty easy to do with a script. The same for a user which you do not know the password for, however, you need to prompt them for their password.

For local admin users, at provisioning, knowing the password for the first (501) user created at the setup assistant. Keep in mind that the tech user is also created via sysadminctl using the 501 user's credentials, but in a different script. This script enables for our management user and our separate tech user. The script also removes the secureToken from the 501 user (so it doesnt show up at FV preboot post 1st reboot), which is then deleted by a post-provisioning policy. It is important to remember that any user with a secureToken can enable FV, and we are using the "tech" user to do that in the script below. Any user with a secureToken (which is why we create them with sysadminctl) is automatically FV enabled upon enablement.

We have been using the 10.13.4+ functionality of prompting mobile accounts at the login window to enable them for FV. All machines must be encrypted before deployment, so we rely on Field to ensure that the AD based mobile user is FV enabled.

#!/bin/bash

#Decrypt String Function for account passwords
function DecryptString() {
    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}

manuserpwd=$( DecryptString "$5" salthere passphrasehere )
techpwd=$( DecryptString "$4" salthere passphrasehere )

# Translate XML reserved characters to XML friendly representations.
TECH_PASS_XML=$(echo "$techpwd" | sed -e 's~&~&amp;~g' -e 's~<~&lt;~g' -e 's~>~&gt;~g' -e 's~"~&quot;~g' -e "s~'~&apos;~g" )

# grant secure token to management user
sysadminctl -adminUser 501user -adminPassword 501userpwd -secureTokenOn manuser -password "$manuserpwd"

# remove secureToken from 501user
sysadminctl -adminUser manuser -adminPassword "$manuserpwd" -secureTokenOff 501user -password 501userpwd


echo "Enabling Filevault for tech and manuser..."
FDESETUP_OUTPUT="$(fdesetup enable -inputplist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>tech</string>
<key>Password</key>
<string>$TECH_PASS_XML</string>
</dict>
</plist>
EOF
)"

#Update FV preboot
diskutil apfs updatePreboot / >/dev/null

#List FV Users
fdesetup list

stutz
Contributor

@dgreening

Just curious what does this part of your script essentially do with/to your password

Translate XML reserved characters to XML friendly representations.

cddwyer
Contributor

@stutz In XML certain special characters have to be quoted or they will be interpreted by the browser as a (or part of a) XML tag. Think of it like using in bash to escape/quote a special character or space.