Automate fixing High Sierra FileVault password sync

AVmcclint
Honored Contributor

As many of us have experienced over the past year, Active Directory users who change their passwords often do not get their FileVault password to sync up since upgrading to macOS High Sierra. This bug has existed since the betas from what I understand but Apple never fixed it. The interwebs has many many many suggestions on how to fix it but the only one that has ever worked consistently for me was to use fdesetup to remove the user and then re-add them to FileVault. The problem is that this requires me to login as admin and have the user sit next to me so they can type their password at the requested time. What I would like to do is create a self service policy that handles this. The problem is I don't know how to prompt the user for their password via the GUI. I'm sure i could use currentuser=`stat -f "%Su" /dev/console` to get the username in the script, but I can't figure out how to get the password and apply it. Has anyone done anything like this?

9 REPLIES 9

ThijsX
Valued Contributor
Valued Contributor

Hi, maybe below can help ya out?

https://www.jamf.com/jamf-nation/discussions/27741/sharing-is-caring-self-service-script-for-tech-reset-filevault-2-user-password

#!/bin/sh

# Loop until valid input is entered or Cancel is pressed.
while :; do
    userName=$(osascript -e 'Tell application "System Events" to display dialog "Hi, 

Ensure that you have set a new password for the user via Active Directory.

Please now insert the username of the user" default answer "" with title "Requesting Username" with text buttons {"Submit"} with icon caution' -e 'text returned of result' 2>/dev/null)

    if (( $? ));
        then exit 1; fi  # Abort, if technician pressed Cancel.

        userName=$(echo "$userName" | sed 's/^ *//' | sed 's/ *$//')  # Trim leading and trailing whitespace.

    if [[ -z "$userName" ]]; then

        # The technician left the username blank
        osascript -e 'Tell application "System Events" to display alert "You must enter the username. Please try again" as warning' >/dev/null

        # Continue loop to prompt again.

        else
            # Valid input: exit loop and continue.
            break
    fi
done

# Remove user from FileVault 2.
fdesetup remove -user "$userName"
echo "User has been removed from FileVault 2"

sleep 05


# Pass the credentials for the management account that is authorized with FileVault 2
adminName='PUT IN HERE YOUR SUPPORT ACCOUNT'
adminPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter the password for SUPPORT ACCOUNT" default answer "" with title "Get admin privilliges" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

# Check if the logged on user is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" == "${userName}" ]; then
echo "This user is already added to the FileVault 2 list."
osascript -e 'tell app "System Events" to display dialog "This user is already added to the FileVault 2 list." with title "Not able to add user" buttons {"Quit"}'
exit 1
fi

# Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed, unable to add user at this time."
echo "${encryptCheck}"
osascript -e 'tell app "System Events" to display dialog "The encryption process has not completed, unable to add user at this time." with title "Disk is not encrypted" buttons {"Quit"}'
exit 2
fi

# Get the logged in user's password via prompt
echo "Prompting ${userName} for his/her login password."
userPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter the password for user '${userName}':" default answer "" with title "Enable user '${userName}' for FileVault 2" with text buttons {"Submit"} default button 1 with hidden answer' -e 'text returned of result')"

echo "Adding user to FileVault 2 list."

# Create the plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminName'</string>
<key>Password</key>
<string>'$adminPass'</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>'$userName'</string>
        <key>Password</key>
        <string>'$userPass'</string>
    </dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist

# Enable FileVault 2 for the logged on user
fdesetup add -inputplist < /tmp/fvenable.plist

# Check if the user is successfully added to the FileVault 2 list
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" != "${userName}" ]; then
echo "Failed to add user to FileVault 2 list."
osascript -e 'tell app "System Events" to display dialog "Failed to add user '${userName}' to FileVault 2 list." with title "Filevault 2 Failed" buttons {"Quit"}'
exit 3
fi

echo "${userName} has been added to the FileVault 2 list."
osascript -e 'tell app "System Events" to display dialog "'${userName}' has been added to the FileVault 2 list. Reboot required" with title "Well done, Bro.." buttons {"Hooray"}'

# Clean up
if [[ -e /tmp/fvenable.plist ]]; then
    srm /tmp/fvenable.plist
fi
exit 0

# Updating APFS preboot volume to enable all FV2 users to login
diskutil apfs updatepreboot /

# Restarting macOS
osascript -e 'tell app "loginwindow" to «event aevtrrst»'

exit 0

Nix4Life
Valued Contributor

hey AV,

is NoMaAD off the table?. This sounds like an exact use case.

AVmcclint
Honored Contributor

@txhaflaire I'll take a look at that script.
@Nix4Life We're using NoMAD but there is no option that I can find that says "sync Filevault password".

AVmcclint
Honored Contributor

@txhaflaire the script you provided seems to work, but it does still ask for the admin password. It isn't as automated as I was hoping for, but I can make this work.

cburk2018
New Contributor II

@txhaflaire This met my needs exactly - thanks for posting :).

rmacalpine
New Contributor II

@txhaflaire This seems to be working for me, thank you for your work and for sharing!

swapple
Contributor III

does this work with mojave and catalina?

ThijsX
Valued Contributor
Valued Contributor

Mojave works, remodding it for zsh on Catalina

koalatee
Contributor II

If you just need to update the filevault password (and know the old), can use this: https://github.com/koalatee/scripts/blob/master/macOS/changeAPFSPassphrase.sh

But yes, many times I find that you we need to remove/re-add the user to filevault because the changePassphrase command doesn't think the working password is correct.