Skip to main content
Question

Enable filevault for local admin users


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies

Hello guys! I'm new to the community and kinda new to jamf pro itself.

Could probably someone assist me with the next feature implementation.

We have 2 local accounts created by a policy for our macbooks (besides the end-user's). They are: LAPS configured with this script and a local admin with a company admins shared password.

Filevault enabling policy is now configured to Apply Disk Encryption Configuration, Default Filevault Policy, Requires fv2 At next login. This policy affects the scope of a Smart computer group with the next criteria:  FileVault 2 Partition Encryption State is not Encrypted.

My question is: what's the bets way to activate FileVault for laps and the second local admin without any end-user notification?

Thanks in advance.

4 replies

AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2725 replies
  • October 5, 2022

Put the admin accounts on the device BEFORE FileVault enables and they should get a FileVault token when FileVault is enabled. If timing is an issue you may want to give more of a grace period than next login.


SGamgee
Forum|alt.badge.img
  • New Contributor
  • 1 reply
  • October 20, 2022

Have you had good luck with that script on all devices?  I'm searching for a similar solution.


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 8 replies
  • October 27, 2022

@SGamgeehttps://github.com/NU-ITS/LAPSforMac - this one is working perfectly.

Regarding FV enabling for those users - had to move it to backlog at the moment.


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 8 replies
  • January 19, 2023

Adding an update here:

Investigated laps solutions and here's my conclusion:

was updated 6 years ago last time: https://github.com/NU-ITS/LAPSforMac

it sends a new password with a curl PUT -d via https

https://marketplace.jamf.com/details/easylaps - paid one

https://github.com/PezzaD84/macOSLAPS - best one on the first sight because of using curl via https + crypt key and secret pair stored at jamf. Unfortunately, password itself could be seen only via a GUI application for macos. Moreover, not sure this solution works properly with Secure Token, bootstrap token, and volume ownership.

Our users are currently local admins with some restrictions via jamf policy (they could remove those restrictions manually as they are full root users, I guess).

nvm, seems like the best option for me is to have a backup fv-enabled local admin with a constant password.

I was looking the way to make that user easily but didn't find a proper solution.

The best one I see is to execute the next from Jamf:

 

fdesetup add -usertoadd username

 

but terminal requires username and password to be typed manually after that. Don't you guys know if there's a way to redirect username and password to stdin (with wait, I guess)?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings