Jamf Nation Community

msample · ‎02-19-2015

When is it best to activate FileVault2? And has anyone run into the issue of your primary admin account repeatedly surfacing first as a single login window before the system displays the username and password field? We do have a script in place that "disables automatic login," so that's not the problem. It's only after we reboot the machine that the username and password field appears, but if we reboot again the "list of users" icon re-appears with just the password field. Bizarre!

Thanks in advance for any thoughts and/or tips to resolve this.

msample · ‎05-07-2015

@alexdale

This script works like a charm under 10.10.3. Nice! After re-imaging a machine, after authenticating with username and password the beginning prompt alerts the user to "enable FileVault 2 encryption." When I check the policy within the JSS, I get the following as verification check points from log screenshot below:

View solution in original post

bentoms · ‎02-19-2015

@msample, FV2 should show list of users on restart.

https://jamfnation.jamfsoftware.com/discussion.html?id=9959#responseChild55404

rtrouton · ‎02-20-2015

@msample,

Are you seeing something like this?

external image link

Followed by something like this?

external image link

If you are, this is the expected behavior when you've enabled FileVault 2 and also disabled the FileVault 2 automatic login process. The first screen you're seeing is the FileVault 2 pre-boot login screen, where you would log in with your account to unlock the encryption on your boot drive. Once the disk's encryption is unlocked, the OS takes over and boots the Mac.

As it sounds like you've disabled the automatic login process that would normally take you from the FileVault 2 pre-boot login screen directly into the account that you selected to log in with, the OS will stop you at the OS login window and require you to log in again. Apple has a KBase article on disabling the automatic login available from here:

http://support.apple.com/en-us/HT202842

If you're not familiar with FileVault 2 and how it works, there's a training video available that can help you learn more about it:

http://www.peachpit.com/store/filevault-2-for-mac-os-x-decoded-learn-by-video-9780134095844

I also have a number of posts on FileVault 2 available from here:

https://derflounder.wordpress.com/category/filevault-2/

alexjdale · ‎02-20-2015

I wrote a custom script that manages FileVault activation, ultimately calling a trigger policy to enable deferred mode activation once the script confirms it's ready. The script runs a couple basic user checks, such as making sure that the user is logged in and is not one of our excluded accounts (I don't want deferred mode to kick in if a tech is logged in as local administrator). I run this policy once per day for all unencrypted systems.

tkimpton · ‎02-21-2015

can you share your script Alex?

Thanks

msample · ‎02-24-2015

Thanks, Alex. I'd love to test your script in my environment. Can I request a shot of the script?

Thanks in advance.

alexjdale · ‎02-25-2015

Here's my script, it's 1.5 years old and I've come a long way with bash since then, so it could be a lot cleaner and shorter (but it works). It's designed to provide local logs and echo results to the JSS policy logs as well. You will need to make sure you have a trigger policy set up that applies your FV configuration.

I also have a "reminder" policy that runs once per day for all systems that are in "deferred" mode, popping up a CocoaDialog reminder that encryption is required, please log out and enter your password, etc.

#!/bin/bash
#

# FV2 Enable
# Runs basic checks, if FV2 is not active or deferred and current user is not admin, enables FV2

log() {
if [ "$1" ]; then
    echo $1>>$logPath
fi
}

DATESTAMP=`date`
logPath="/var/log/Deployments/FileVault2.log"
if [ ! -d "/var/log/Deployments" ]; then
    mkdir "/var/log/Deployments"
fi

log "Running FV2 Enable - $DATESTAMP"
log "Computer name: `hostname`"

currentUser=`ls -l /dev/console | awk '{print $3}'`
isUserLoggedIn=`who | grep console | grep $currentUser`

# Quit out if administrator is logged in
if [ $currentUser = "administrator" ]; then
    log "administrator logged on, exiting"
    echo "administrator logged on, exiting"
    exit 0
fi

FVStatus=`fdesetup status`

# If FV is already on, exit
isOn=`echo $FVStatus | grep "FileVault is On"`
if [ "$isOn" ]; then
    log "FileVault is On. Exiting."
    echo "FileVault is On. Exiting."
    exit 0
fi

# If FV is in a deferred state already, exit
isDef=`fdesetup status | grep Deferred`
if [ "$isDef" ]; then
    log "$isDef"
    defUserResult=`echo $isDef | awk '{print $9}'`
    strLen=`echo ${#defUserResult}`
    defUsername=`echo "${defUserResult:1:$strLen-3}"`
    log "$defUsername is already set as the deferred FV user. Exiting."
    echo "$defUsername is already set as the deferred FV user. Exiting."
    exit 0
fi

# if FV is encrypting, exit
isEnc=`echo $FVStatus | grep "Encryption in progress"`
if [ "$isEnc" ]; then
    log "$FVStatus"
    echo "$FVStatus"
    exit 0
fi

# if FV is decrypting, exit
isDec=`echo $FVStatus | grep "Decryption in progress"`
if [ "$isDec" ]; then
    log "$FVStatus"
    echo "$FVStatus"
    exit 0
fi

# Make sure user is logged on
if [ ! "$isUserLoggedIn" ]; then
    log "Current console user is not logged on"
    echo "Current console user is not logged on"
    exit 0
fi

log "$currentUser currently logged in"

# All checks passed, enable FV2 for currently logged in user
log "Executing FV2 enable policy"
jamf policy -trigger enableFV2
sleep 5
FVStatus=`fdesetup status`
log "$FVStatus"
echo "$FVStatus"

msample · ‎05-07-2015

@alexdale

This script works like a charm under 10.10.3. Nice! After re-imaging a machine, after authenticating with username and password the beginning prompt alerts the user to "enable FileVault 2 encryption." When I check the policy within the JSS, I get the following as verification check points from log screenshot below:

Jamf Nation Community

Adding FIleVault2 Pre or Post Image