- Jamf Nation Community
- Products
- Jamf Pro
- Best approach to reset a PW *and* enable it for FV...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Best approach to reset a PW *and* enable it for FV?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-05-2016 11:54 AM
Hit a snag last week that we didn't realize at first.
So all machines in "Department A" have a local admin account for helpdesk use, we'll call it "Admin" This policy is enabled for FV access on the laptops, again, for helpdesk troubleshooting use as needed.
Due to staff turnover, we changed the password via a Casper policy. All appeared to go well, until this week when machines started being rebooted. It appears that FileVault is still unlock able by the OLD password, but not by the new one.
When setting up a policy, under the "Local Accounts" section, you can choose "Reset account password", but there is no option there to enable for FV... that checkbox only exists if you tell it to "Create account". But if I select that, and attempt to "over-write" an existing account, I get an error.
Anyone have recommendations for the best approach here? This was only one department, but I anticipate this being a semi-regular request from other departments over time.
Labels:
- Labels:
-
FileVault 2
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-05-2016 12:13 PM
I use fdesetup to change it. First I create a second account, then enable it for FileVault. Then remove the account with the bad password. Then I add that Admin account back in. Finally, I delete my temp account. You can script this all backend if you know the existing filevault password.
1) add a user and add to filevault
/usr/local/bin/jamf createAccount -username fdetemp -realname EncryptionTemp -password abcdefg1create xml file to add temp user to FV.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>Admin</string>
<key>Password</key>
<string>OldFVPasswordGoesHere</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>fdetemp</string>
<key>Password</key>
<string>abcdefg1</string>
</dict>
</array>
</dict>
</plist>Apply that XML file
fdesetup add -inputplist < /tmp/xmlfile.xml2) Delete bad user from filevault
fdesetup -remove -user Admin3) Generate an XML file then Add admin back with good password
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>fdetemp</string>
<key>Password</key>
<string>abcdefg1</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>Admin</string>
<key>Password</key>
<string>NewPassGoesHere</string>
</dict>
</array>
</dict>
</plist>Apply that xml file
fdesetup add -inputplist < /tmp/xmlfile.xmlDelete the temp user
/usr/local/bin/jamf deleteAccount -username fdetemp -deleteHomeDirectoryOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-05-2016 12:43 PM
Thanks.... that aught to do the trick.
Ugh. Hey JAMF - how about a checkbox? ;)
I'll take a look. Fortunately the username is the same across departments, just the PW that changes, so setting a template up wouldn't be too onerous.
