Enable additional FileVault 2 users via script

if the mac is already encrypted you'll need to do some work before deleting the existing local account. You'd want to create a temporary account, enable that temp account for FV2 using the existing local account, then delete the existing local account, then cache the user's AD account, then use the temp account to enable the AD account, and finally delete the temp account.
FUN!!!!
but it does work, we use that workflow in production to convert local users over to AD when FV2 is already enabled.

Perhaps instead of deleting the local account, you can change the password. That way you have a fallback plan if any machines fail to grant access to the new AD user.

we do both-our script backs up the existing home directory and dumps the local account from DSCL before deleting it. If the AD caching fails for any reason, we recreate the account from the DSCL dump and move the home dir back into place. I didn't want to have 2 accounts with the same name on the system at the same time, too much potential for confusion.

@nkalister are you maybe able to share some of your scripts/workflows?
At the moment I'm a little bit stuck...

Thanks

Hi Not sure if you have tried this, but I have a policy either self service or policy trigger at logout , when the userslogs out the for the first time they will be asked for their password, then encryption will begin,
All the user will need to do once is enter their usier account password

requirements, caspers 8.73/ 9.3 10.8.5 and 10.9 osx

I've been working on this project for the last week. Nobody here uses AD binding and I want to roll it out. Some machines are using a local account with the same ID as their network name and others are not.

Currently I have two processes
1) on Unencrypted machines, I have a bind process that runs. It also installs an app I wrote (https://github.com/tmhoule/MigrateProfile) which moves the /Users/local to /Users/networkid and changes permissions. It also deletes the local account and gives admin rights to the user. Then the user logs in with AD creds, and gets their familiar desktop, etc.

2) on Encrypted machines, the local account is renamed to end with ".x". The machine is bound, home directory migrated as above, and rebooted. The user logs in with 'oldid.x', to get past FileVault. Then logs out, logs in with AD creds, and enables their account for FileVault and deletes the old local account. A very ugly situation.

I'm trying to get Security to approve turning off FileVault while the machine is bound, but that needs a review process. Sadly, I found that I can't reenable fileVault until it is fully decrypted and rebooted.

I have tried this on Mac OS X 10.13.3 and it error out with this:

Script result: spawn /usr/bin/fdesetup add -usertoadd <br/><br/>Error: Unrecognized option argument.<br/><br/>send: spawn id exp87 not open<br/> while executing<br/>"send -- Mypassword "<br/><br/>usage: grep [-abcDEFGHhIiJLlmnOoqRSsUVvwxZ] [-A num] [-B num] [-C[num]]<br/> [-e pattern] [-f file] [--binary-files=value] [--color=when]<br/> [--context[=num]] [--directories=action] [--label] [--line-buffered]<br/> [--null] [pattern] [file ...]<br/>Failed :(<br/>

https://github.com/UoE-macOS/jss/blob/master/coreconfig-filevault-add-mgmt-acct.sh

you should probably edit that post, @kerickson - looks like you posted a password there.
For 10.13 the prompts have changed and the expect section needs to send the user name first, then the password.

1if [[ $OS -ge 9  ]] &&  [[ $OS -lt 13 ]]; then
2    ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
3    expect -c "
4    log_user 0
5    spawn fdesetup changerecovery -personal
6    expect "Enter a password for '/', or the recovery key:"
7    send "{${userPass}}"
8    send 
9    log_user 1
10    expect eof
11    "
12elif [[ $OS -ge 13 ]]; then
13    expect -c "
14    log_user 0
15    spawn fdesetup changerecovery -personal
16    expect "Enter the user name:"
17    send {${userName}}
18    send 
19    expect "Enter a password for '/', or the recovery key:"
20    send {${userPass}}
21    send 
22    log_user 1
23    expect eof
24    "
25else
26    echo "OS version not 10.9+ or OS version unrecognized"
27    echo "$(/usr/bin/sw_vers -productVersion)"
28    exit 5
29fi

oops, I tagged the wrong user!
@kericson : you probably should remove the PW from your post

@nkalister thanks I’ll try that.

@nkalister I tired what you posted and said my os 10.13.3 was no recognized. I modified the script like you said and it failed too.

1#!/bin/sh
2
3get_password() {
4  logger "$0: Asking for password"
5  pwd="$(sudo -u ${current_user} osascript << EOF
6  repeat while application "Finder" is not running
7    delay 1
8  end repeat
9  tell application "Finder"
10      activate
11      with timeout of 36000 seconds
12        set the_result to (display dialog "The Mac Supported Desktop requires access to the FileVault encryption on this computer to back up its encryption key.
13
14Enter the password of an account which can unlock FileVault on this computer (this may be your own logon password).
15
16Our use of this password is secure, and used only to safely gather the Filevault key. The password you type is not stored in any way. If you are unsure how to proceed, or want more information, contact the IS Helpline on 0131 6515151 advising that you are receiving this message."¬
17          buttons {"Accept"} default button 1 with title "University of Edinburgh Mac Supported Desktop" default answer "" with hidden answer)
18        set the_answer to text returned of the_result
19      end timeout
20  end tell
21  return the_answer
22  EOF
23     )"
24  if [ -z "${pwd}" ]
25  then
26    false
27  else
28    echo "${pwd}"
29  fi
30}
31user_pwd="$(get_password)"
32# Try enabling filevault
33/usr/bin/expect -f- << EOT
34  spawn /usr/bin/fdesetup add -usertoadd "${mgmt_user}"; 
35  expect "Enter the username for the added user '${mgmt_user}':*" 
36  send -- $(printf '%q' "${mgmt_pass}") 
37  send -- "
38"
39  expect "Enter a password for '/', or the recovery key:*"
40  send -- $(printf '%q' "${user_pwd}")  
41  send -- "
42"
43  expect eof;
44EOT
45# Did we succeed?
46if fdesetup list | grep -q ${mgmt_user}
47then
48  echo "Successs!"
49  # Report our new-found success to the JSS
50  /usr/local/bin/jamf recon
51  exit 0
52else
53  echo "Failed :("
54  exit 255
55fi

@kericson the code i posted requires the script to determine the OS that's running on the mac- I don't see anything in what you posted that gets the OS version (is that your whole script?). If you're always getting os unrecognized it's because the if statement at the top of that snippet doesn't have the OS variable's populated.
for this script, the OS variable gets populated by

1OS=`/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}`

The script I use is a little different than what you're doing- since I have my management account enabled for FV, I know the username and password that need to be used so I don't have to prompt the user for anything. Hopefully it's still helpful to see all this in context. I replaced any sensitive info in the script with <removed>.

1#!/bin/bash
2
3####################################################################################################
4#
5# Copyright (c) 2013, JAMF Software, LLC.  All rights reserved.
6#
7#       Redistribution and use in source and binary forms, with or without
8#       modification, are permitted provided that the following conditions are met:
9#               * Redistributions of source code must retain the above copyright
10#                 notice, this list of conditions and the following disclaimer.
11#               * Redistributions in binary form must reproduce the above copyright
12#                 notice, this list of conditions and the following disclaimer in the
13#                 documentation and/or other materials provided with the distribution.
14#               * Neither the name of the JAMF Software, LLC nor the
15#                 names of its contributors may be used to endorse or promote products
16#                 derived from this software without specific prior written permission.
17#
18#       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
19#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21#       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
22#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28#
29####################################################################################################
30#
31# Description
32#
33#   The purpose of this script is to allow a new individual recovery key to be issued
34#   if the current key is invalid and the management account is not enabled for FV2,
35#   or if the machine was encrypted outside of the JSS.
36#
37#   First put a configuration profile for FV2 recovery key redirection in place.
38#   Ensure keys are being redirected to your JSS.
39#
40#   
41#
42####################################################################################################
43# 
44# HISTORY
45#
46#   -Created by Sam Fortuna on Sept. 5, 2014
47#   -Updated by Sam Fortuna on Nov. 18, 2014
48#       -Added support for 10.10
49#       -Updated by Sam Fortuna on June 23, 2015
50#           -Properly escapes special characters in user passwords
51#      -Updated by Nick Kalister on Feb 2, 2018
52#              -Added support for 10.13, encrypted string for pw and made script run silently.
53#
54####################################################################################################
55#
56## Get the logged in user's name
57userName=<removed>
58
59## Get the OS version
60OS=`/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}`
61
62## This first sanity check makes sure the management account is already authorized for FileVault 2
63userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
64if [ "${userCheck}" != "${userName}" ]; then
65    echo "<removed> is not a FileVault 2 enabled user."
66    exit 3
67fi
68
69## Check to see if the encryption process is complete
70encryptCheck=`fdesetup status`
71statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
72expectedStatus="FileVault is On."
73if [ "${statusCheck}" != "${expectedStatus}" ]; then
74    echo "The encryption process has not completed."
75    echo "${encryptCheck}"
76    exit 4
77fi
78
79## Get the authorized account's password via encrypted JSS parameter
80SALT=<removed>
81K=<removed>
82userPass="$(echo "${4}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$SALT" -k "$K")"
83#sanity check the decrypted string
84if [[ "$userPass" == "" ]]; then
85    echo "userpass did not successfully decrypt, exiting"
86    exit 1
87else
88    echo "Issuing new recovery key"
89fi
90
91if [[ $OS -ge 9  ]] &&  [[ $OS -lt 13 ]]; then
92    ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
93    expect -c "
94    log_user 0
95    spawn fdesetup changerecovery -personal
96    expect "Enter a password for '/', or the recovery key:"
97    send "{${userPass}}"
98    send 
99    log_user 1
100    expect eof
101    "
102elif [[ $OS -ge 13 ]]; then
103    expect -c "
104    log_user 0
105    spawn fdesetup changerecovery -personal
106    expect "Enter the user name:"
107    send {${userName}}
108    send 
109    expect "Enter a password for '/', or the recovery key:"
110    send {${userPass}}
111    send 
112    log_user 1
113    expect eof
114    "
115else
116    echo "OS version not 10.9+ or OS version unrecognized"
117    echo "$(/usr/bin/sw_vers -productVersion)"
118    exit 5
119fi
120
121exit 0

I got this to work.
This is for Mac OS 10.13

1#!/bin/bash
2
3###################################################################
4#
5# If this script is running, filevault is
6# enabled but we neither have a valid recovery
7# key nor is our management account able to 
8# unlock the disk - we don't want to be in this 
9# situation so we try to persuade the user to give
10# us credentials that will allow us to add the 
11# management user to filevault.
12#
13# Date: "Mon Sep 04 16:26:38 2016 +0100"
14# Version: 0.1.4
15# Origin: https://github.com/UoE-macOS/jss.git
16# Released by JSS User: dsavage
17#
18##################################################################
19
20current_user="${3}"
21mgmt_user="${4}"
22mgmt_pass="${5}"
23
24get_password() {
25  logger "$0: Asking for password"
26  pwd="$(sudo -u ${current_user} osascript << EOF
27  repeat while application "Finder" is not running
28    delay 1
29  end repeat
30  tell application "Finder"
31      activate
32      with timeout of 36000 seconds
33        set the_result to (display dialog "The True IT Dept. requires access to the FileVault encryption on this computer to back up its encryption key.
34
35Enter your own logon password.
36
37Our use of this password is secure, and used only to safely gather the Filevault key. The password you type is not stored in any way. If you are unsure how to proceed, or want more information, contact the IT HelpDesk at 555-555-555 advise them that you are receiving this message."¬
38          buttons {"Accept"} default button 1 with title "IT Dept." default answer "" with hidden answer)
39        set the_answer to text returned of the_result
40      end timeout
41  end tell
42  return the_answer
43  EOF
44     )"
45  if [ -z "${pwd}" ]
46  then
47    false
48  else
49    echo "${pwd}"
50  fi
51}
52user_pwd="$(get_password)"
53# Try enabling filevault
54/usr/bin/expect -f- << EOT
55  spawn /usr/bin/fdesetup add -usertoadd "${mgmt_user}"; 
56  expect "Enter the username '${current_user}':*" 
57  send -- $(printf '%q' "${current_user}") 
58  send -- "
59"
60  expect "Enter the password '${user_pwd}':*" 
61  send -- $(printf '%q' "${user_pwd}") 
62  send -- "
63"
64  expect "Enter a password for '/', or the recovery key:*"
65  send -- $(printf '%q' "${mgmt_pass}")  
66  send -- "
67"
68  expect eof;
69EOT
70# Did we succeed?
71if fdesetup list | grep -q ${mgmt_user}
72then
73  echo "Successs!"
74  # Report our new-found success to the JSS
75  /usr/local/bin/jamf recon
76  exit 0
77else
78  echo "Failed :("
79  exit 255
80fi