Posted on 10-04-2022 08:44 AM
Hello guys! I'm new to the community and kinda new to jamf pro itself.
Could probably someone assist me with the next feature implementation.
We have 2 local accounts created by a policy for our macbooks (besides the end-user's). They are: LAPS configured with this script and a local admin with a company admins shared password.
Filevault enabling policy is now configured to Apply Disk Encryption Configuration, Default Filevault Policy, Requires fv2 At next login. This policy affects the scope of a Smart computer group with the next criteria: FileVault 2 Partition Encryption State is not Encrypted.
My question is: what's the bets way to activate FileVault for laps and the second local admin without any end-user notification?
Thanks in advance.
Posted on 10-05-2022 04:38 AM
Put the admin accounts on the device BEFORE FileVault enables and they should get a FileVault token when FileVault is enabled. If timing is an issue you may want to give more of a grace period than next login.
Posted on 10-20-2022 09:05 AM
Have you had good luck with that script on all devices? I'm searching for a similar solution.
Posted on 10-27-2022 03:53 AM
@SGamgee, https://github.com/NU-ITS/LAPSforMac - this one is working perfectly.
Regarding FV enabling for those users - had to move it to backlog at the moment.
Posted on 01-18-2023 08:33 PM
Adding an update here:
Investigated laps solutions and here's my conclusion:
was updated 6 years ago last time: https://github.com/NU-ITS/LAPSforMac
it sends a new password with a curl PUT -d via https
https://marketplace.jamf.com/details/easylaps - paid one
https://github.com/PezzaD84/macOSLAPS - best one on the first sight because of using curl via https + crypt key and secret pair stored at jamf. Unfortunately, password itself could be seen only via a GUI application for macos. Moreover, not sure this solution works properly with Secure Token, bootstrap token, and volume ownership.
Our users are currently local admins with some restrictions via jamf policy (they could remove those restrictions manually as they are full root users, I guess).
nvm, seems like the best option for me is to have a backup fv-enabled local admin with a constant password.
I was looking the way to make that user easily but didn't find a proper solution.
The best one I see is to execute the next from Jamf:
fdesetup add -usertoadd username
but terminal requires username and password to be typed manually after that. Don't you guys know if there's a way to redirect username and password to stdin (with wait, I guess)?