Posted on 10-29-2014 01:40 AM
Hi all.
I wonder if there is any workaround to enable new users for FileVault if the management account is enabled for FileVault?
I looked through a lot of stuff but you always need to provide the password of the management account (what is a random generated one in our case).
All ideas are welcome.
Thanks
Posted on 10-29-2014 04:55 AM
Are these local users or mobile network users?
Posted on 10-29-2014 04:57 AM
This are AD users with a local home Folder.
Posted on 10-29-2014 05:23 AM
OK. In that case, you'll need to provide their individual account's password as part of the enabling process. You may be able to script something in Self Service to help your folks with that.
Posted on 10-29-2014 10:39 AM
Write a script auto enabling FV2 upon login. You can use JAMFHelper to post a rather annoying non-dismissable message which tells the user to restart so that FV can complete. It has been very successful for us.
Posted on 10-29-2014 11:50 AM
I have a tool I've written which takes a local account profile and converts it to an AD account. If FileVault is enabled, the AD user should get FileVault access as well. There's a dmg in the repo so you don't have to compile.
https://github.com/tmhoule/ProfileMigration
It does not have any checks for situations such as where a username is different than a home directory. It also assumes the AD user hasn't logged in (i.e.: a profile doesn't exists for that user already). But for a version 1.0 it works well for us. Feel free to experiment.
Posted on 10-30-2014 02:58 AM
@jcurrin I found a nice script here in the community https://jamfnation.jamfsoftware.com/discussion.html?id=12143.
But this would require to provide the password of the management account.
Any other idea or suggestions on the script.
I'm sorry I'm not that good in scripting...
Posted on 10-30-2014 06:38 AM
@maik.sanftenberg While that script does require passing the management account and password, that is passed as a variable from the JSS so it is not stored in the logs. The plist file is deleted once FileVault uses it, or you can place it in /tmp and it will be erased when the system restarts. So if you place a reboot into your script, the machine can reboot immediately and erase that plist file.
If you know the recovery key for the system, rather than passing the management account and password, you could use the recovery key. I've never done it this way, but I'm sure @rtrouton might have an idea of how to do this and how to gather the recovery key to use.