AppleScript/Script Editor to create new user and add to filevault

easyedc
Valued Contributor II

We're in a scenario where we want to simplify how we can get new remote users up and running with laptops. Currently, our hardware support team sets up a webex, joins VPN, some other painful stuff, etc. What I'm working on is creating an application (so that non-standard admins can launch this) that will both create their user account and add them to file vault, then immediately log out and delete our temporary user.

In my thinking I came up with a combination of a few things, but starting with an AppleScript that can do a lot of this because I can set it as read only (and keep my service account name/password hidden and b) users can launch this without admin rights:

to getusername()

    display dialog "Enter your User ID:" default answer ""
    set userid to text returned of result

    return {userid}
end getusername

to getuserpwd()
    display dialog "Enter your password:" default answer "" with hidden answer
    set userpwd to text returned of result
    return {userpwd}
end getuserpwd

set userid to getusername()
set userpass to getuserpwd()

do shell script "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -v -e -n " & userid & " -p " & "'" & userpass & "'" user name "SERVICEACCOUNT" password "PASSWORD" with administrator privileges

do shell script "fdesetup add -usertoadd " & userid & " -p -keychain" with administrator privileges

delay (write text "'" & userpass & "'")

I've seen people tackle the FileVault challenge a few different ways. Given our over security limitations, I have no way to create the .plist that everyone else seems to use that caches the user info and imports it. Thoughts? Am I going about this the wrong way? Anyone else have/had/solved this challenge?

Thanks.

1 ACCEPTED SOLUTION

thoule
Valued Contributor II

I'm in the middle of something else at the moment so can't review this info, but I did so something similar a year or so ago. I've got a script (https://github.com/tmhoule/ProfileMigration) which will prompt for local admin credentials and will add a user to filevault. You should be able to pull the code you need from there.

View solution in original post

3 REPLIES 3

thoule
Valued Contributor II

I'm in the middle of something else at the moment so can't review this info, but I did so something similar a year or so ago. I've got a script (https://github.com/tmhoule/ProfileMigration) which will prompt for local admin credentials and will add a user to filevault. You should be able to pull the code you need from there.

easyedc
Valued Contributor II

@thoule Looking through your work and I THINK it'll solve my issue of not having the user's password to pass into the .plist file. Looking through your work, but it doesn't seem like you clean up the temp .plist that gets created? or am I wrong? (I know it's in /tmp/ but doesn't it still need to be removed since the users passwords are in clear text?

easyedc
Valued Contributor II

... and it looks like something similar was done here - but not as the script editor created Application.