- Jamf Nation Community
- Products
- Jamf Pro
- Enable Secure Token For AD Account If we have the ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Enable Secure Token For AD Account If we have the username and password of secure token enabled account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-15-2018 02:21 AM
We are new to Jamf in our environment and we are in the process to enable Disk Encryption . Now we have rolled out disk encryption policies for user on Sierra and high Sierra , where secure token does not have a role .
We have a local account on all the Macs which is having secure token and have the same password for all . I am looking for script with which we can have credentials hardcoded and it should only prompt the login users to enter their account password .
I would really appreciate , if someone could help me here .
Labels:
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-15-2018 02:36 AM
Here you go....
This will prompt the user for their password and enable secure token
Put the admin details in relevant parmameters in the Policy and add this script.
>>
!/bin/sh
This script is intended to be used with JAMF Self Service. It will enable SecureToken for the currently logged in user account
and either add it to the list of to FileVault enabled users or enable FileVault using a Personal Recovery Key.
Your policy must include script parameters for a SecureToken enabled administrator username and password. For more information
on using script parameters, please see https://www.jamf.com/jamf-nation/articles/146/script-parameters.
v1.2 - added debugging trace messages to confirm progress of script and confirm variables are being correctly passed - by Amos Deane - 13 Sep 2018
v1.3 - corrected userName1
adminUser="$4"
adminPassword="$5"
userName1="$3"
userName2="$6"
Uses AppleScript to prompt the currently logged in user for their account password.
userPassword1=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "To Enable Filevault, Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer
if button returned of result is "Continue" then
set pwd to text returned of result
return pwd
end if
end tell
EOT)
function separationLine {
echo "----------------------------------------------------------------------------------"
}
Enables SecureToken for the currently logged in user account.
enableSecureToken() {
separationLine
echo "Enables SecureToken for the currently logged in user account $userName1"
sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}
Creates a PLIST containing the necessary administrator and user credentials.
createPlist() {
separationLine
echo "Creating a PLIST containing the necessary administrator and user credentials"
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminUser'</string>
<key>Password</key>
<string>'$adminPassword'</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>'$userName1'</string>
<key>Password</key>
<string>'$userPassword1'</string>
</dict>
</array>
</dict>
</plist>' > /private/tmp/userToAdd.plist
}
Adds the currently logged in user to the list of FileVault enabled users.
addUser() {
separationLine
echo "Adding the currently logged in user to the list of FileVault enabled users"
sudo fdesetup add -i < /private/tmp/userToAdd.plist
}
Enables FileVault using a Personal Recovery Key.
enableFileVault() {
separationLine
echo "Enabling FileVault using a Personal Recovery Key"
sudo fdesetup enable -inputplist < /private/tmp/userToAdd.plist
}
SecureToken enabled users are automatically added to the list of Filevault enabled users when FileVault first is enabled.
Removes the specified user(s) from the list of FileVault enabled users.
removeUser() {
separationLine
echo "Removing the specified user(s) from the list of FileVault enabled users."
sudo fdesetup remove -user $adminUser
sudo fdesetup remove -user $userName2
}
Update the preboot role volume's subject directory.
updatePreboot() {
separationLine
echo "Updating preboot"
diskutil apfs updatePreboot /
}
Deletes the PLIST containing the administrator and user credentials.
cleanUp() {
separationLine
echo "Cleaning up temp files"
rm /private/tmp/userToAdd.plist
}
enableSecureToken
createPlist
if [ "$(sudo fdesetup status | head -1)" == "FileVault is On." ]; then
separationLine
echo "Filevault is on - adding to secure token"
addUser
else
separationLine
echo "Filevault is off - enabling. Removing user"
enableFileVault
removeUser
fi
updatePreboot
cleanUp
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-16-2018 06:03 AM
Thanks @kerouak . It worked well for us .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-17-2018 03:29 AM
would u please share the code for us @Kavya
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2018 02:01 PM
@kerouak can you re-post your script with code tags ( triple backticks) around it (or, use the "terminal" icon above the editor, that looks like ">_")? It should make the code much easier to read and copy/paste for others needing the same functionality.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-22-2018 02:48 AM
@ chenhao2018 ,
We are using this script only to enable secure token . To add the user to filevault and enable filevault we use the policy created on jamf .
Here you go....
This will prompt the user for their password and enable secure token
Put the admin details in relevant parmameters in the Policy and add this script.
>>
!/bin/sh
adminUser="$4"
adminPassword="$5"
userName1="$3"
userName2="$6"
Uses AppleScript to prompt the currently logged in user for their account password.
userPassword1=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "To Enable Filevault, Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer
if button returned of result is "Continue" then
set pwd to text returned of result
return pwd
end if
end tell
EOT)
function separationLine {
echo "----------------------------------------------------------------------------------" }
Enables SecureToken for the currently logged in user account.
enableSecureToken() {
separationLine
echo "Enables SecureToken for the currently logged in user account $userName1" sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}
enableSecureToken
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2018 04:34 AM
Hello ,
This script does not validate if the password is entered right for the logged . It takes the wrong password and also changes the password for the account . Is there way we can add validation of password for the logged in user .
Thanks , Kavyashree
