Automatically enable new Users for FV2

maiksanftenberg
Contributor II

Hi all.

I wonder if there is any workaround to enable new users for FileVault if the management account is enabled for FileVault?
I looked through a lot of stuff but you always need to provide the password of the management account (what is a random generated one in our case).

All ideas are welcome.

Thanks

7 REPLIES 7

rtrouton
Release Candidate Programs Tester

@maik.sanftenberg,

Are these local users or mobile network users?

maiksanftenberg
Contributor II

This are AD users with a local home Folder.

rtrouton
Release Candidate Programs Tester

OK. In that case, you'll need to provide their individual account's password as part of the enabling process. You may be able to script something in Self Service to help your folks with that.

jcurrin
New Contributor III

Write a script auto enabling FV2 upon login. You can use JAMFHelper to post a rather annoying non-dismissable message which tells the user to restart so that FV can complete. It has been very successful for us.

thoule
Valued Contributor II

I have a tool I've written which takes a local account profile and converts it to an AD account. If FileVault is enabled, the AD user should get FileVault access as well. There's a dmg in the repo so you don't have to compile. https://github.com/tmhoule/ProfileMigration
It does not have any checks for situations such as where a username is different than a home directory. It also assumes the AD user hasn't logged in (i.e.: a profile doesn't exists for that user already). But for a version 1.0 it works well for us. Feel free to experiment.

maiksanftenberg
Contributor II

@jcurrin I found a nice script here in the community https://jamfnation.jamfsoftware.com/discussion.html?id=12143.
But this would require to provide the password of the management account.
Any other idea or suggestions on the script.

I'm sorry I'm not that good in scripting...

stevewood
Honored Contributor II
Honored Contributor II

@maik.sanftenberg While that script does require passing the management account and password, that is passed as a variable from the JSS so it is not stored in the logs. The plist file is deleted once FileVault uses it, or you can place it in /tmp and it will be erased when the system restarts. So if you place a reboot into your script, the machine can reboot immediately and erase that plist file.

If you know the recovery key for the system, rather than passing the management account and password, you could use the recovery key. I've never done it this way, but I'm sure @rtrouton might have an idea of how to do this and how to gather the recovery key to use.