Enable filevault for local admin users

n123
New Contributor

Hello guys! I'm new to the community and kinda new to jamf pro itself.

Could probably someone assist me with the next feature implementation.

We have 2 local accounts created by a policy for our macbooks (besides the end-user's). They are: LAPS configured with this script and a local admin with a company admins shared password.

Filevault enabling policy is now configured to Apply Disk Encryption Configuration, Default Filevault Policy, Requires fv2 At next login. This policy affects the scope of a Smart computer group with the next criteria:  FileVault 2 Partition Encryption State is not Encrypted.

My question is: what's the bets way to activate FileVault for laps and the second local admin without any end-user notification?

Thanks in advance.

4 REPLIES 4

AJPinto
Honored Contributor III

Put the admin accounts on the device BEFORE FileVault enables and they should get a FileVault token when FileVault is enabled. If timing is an issue you may want to give more of a grace period than next login.

SGamgee
New Contributor

Have you had good luck with that script on all devices?  I'm searching for a similar solution.

n123
New Contributor

@SGamgeehttps://github.com/NU-ITS/LAPSforMac - this one is working perfectly.

Regarding FV enabling for those users - had to move it to backlog at the moment.

n123
New Contributor

Adding an update here:

Investigated laps solutions and here's my conclusion:

was updated 6 years ago last time: https://github.com/NU-ITS/LAPSforMac

it sends a new password with a curl PUT -d via https

https://marketplace.jamf.com/details/easylaps - paid one

https://github.com/PezzaD84/macOSLAPS - best one on the first sight because of using curl via https + crypt key and secret pair stored at jamf. Unfortunately, password itself could be seen only via a GUI application for macos. Moreover, not sure this solution works properly with Secure Token, bootstrap token, and volume ownership.

Our users are currently local admins with some restrictions via jamf policy (they could remove those restrictions manually as they are full root users, I guess).

nvm, seems like the best option for me is to have a backup fv-enabled local admin with a constant password.

I was looking the way to make that user easily but didn't find a proper solution.

The best one I see is to execute the next from Jamf:

 

fdesetup add -usertoadd username

 

but terminal requires username and password to be typed manually after that. Don't you guys know if there's a way to redirect username and password to stdin (with wait, I guess)?