Jamf Nation Community

davidjess · ‎06-22-2018

Hi folks,

Does anyone have scripts available for Sierra and HighSierra that will enable a local user for FilveVault 2 - prompting them to enter their password, then confirm, then error if the passwords don't match, and proceed if they do.

Thanks

rwar · ‎06-22-2018

I made some assumptions and am going to pretend you currently do not have FileVault2 enabled and the local user was the first user created on the machine (SecureToken purposes). If those are true, the following should work:

#!/bin/bash

#############################################################################
#
#   Description: This script is intended to prompt the logged in user for 
#   their password, validate their password, and enable FV2.
#
#   Credits to @homebysix and @futureimperfect
#
#############################################################################

# Suppress errors for the duration of this script. (This prevents JAMF Pro from
# marking a policy as "failed" if the words "fail" or "error" inadvertently
# appear in the script output.)
exec 2>/dev/null

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
LOGO="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"
LOGO_POSIX="$(/usr/bin/osascript -e 'tell application "System Events" to return POSIX file "'"$LOGO"'" as text')"
PROMPT_TITLE="Enabling user for FileVault"
PROMPT_MESSAGE="Enabling your account for FileVault. Please enter your password on the following prompt."
FINISHED_MESSAGE="You have successfully been enabled for FileVault"
FORGOT_PW_MESSAGE="You made five incorrect password attempts. FileVault was not enabled for your account."
CURRENT_USER=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
USER_ID=$(/usr/bin/id -u "$CURRENT_USER")
L_ID=$USER_ID
L_METHOD="asuser"


# Display a branded prompt explaining the password prompt.
echo "Alerting user $CURRENT_USER about incoming password prompt..."
"$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$PROMPT_MESSAGE" -button1 "Next" -defaultButton 1 -startlaunchd &>/dev/null

# Get the logged in user's password via a prompt.
echo "Prompting $CURRENT_USER for their Mac password..."
USER_PASS="$(/bin/launchctl "$L_METHOD" "$L_ID" /usr/bin/osascript -e 'display dialog "Please enter the password you use to log in to your Mac:" default answer "" with title "'"${PROMPT_TITLE//"/\"}"'" giving up after 86400 with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${LOGO_POSIX//"/\"}"'"' -e 'return text returned of result')"

# Validate the user's password
TRY=1
until /usr/bin/dscl /Search -authonly "$CURRENT_USER" "$USER_PASS" &>/dev/null; do
    (( TRY++ ))
    echo "Prompting $CURRENT_USER for their Mac password (attempt $TRY)..."
    USER_PASS="$(/bin/launchctl "$L_METHOD" "$L_ID" /usr/bin/osascript -e 'display dialog "Sorry, that password was incorrect. Please try again:" default answer "" with title "'"${PROMPT_TITLE//"/\"}"'" giving up after 86400 with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${LOGO_POSIX//"/\"}"'"' -e 'return text returned of result')"
    if (( TRY >= 5 )); then
        echo "[ERROR] Password prompt unsuccessful after 5 attempts. Displaying "forgot password" message..."
        /bin/launchctl "$L_METHOD" "$L_ID" "$jamfHelper" -windowType "utility" -icon "$LOGO" -title "$PROMPT_TITLE" -description "$FORGOT_PW_MESSAGE" -button1 'OK' -defaultButton 1 -startlaunchd &>/dev/null &
        exit 1
    fi
done

echo "Successfully validated the correct password."

# Enable FileVault for the user
/usr/bin/fdesetup enable -inputplist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>$CURRENT_USER</string>
<key>Password</key>
<string>$USER_PASS</string>
</dict>
</plist>
EOF

# Alternatively, you could just use jamf's encryptDisk option which will do the same
# /usr/local/bin/jamf encryptDisk -username $CURRENT_USER -password $USER_PASS

I did modify the script I personally use and did not test the "fde enable" piece at the bottom. If you already have FV2 enabled and are trying to add this local user, let me know and I'll post the piece for that.

davidjess · ‎06-26-2018

Hi @rwar

Thanks for the reply, we do actually have FV2 enabled - just looking for an enable user for FV2 script with a validation loop.

Thanks

scottb · ‎06-26-2018

Here is some good info related to FV2.
It may or may not help you, but it works well here.

jss-filevault-reissue

sim_brar · ‎02-10-2020

@rwar You are a saint for sharing that script <3

elliotjordan · ‎06-16-2023

Hi everyone! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to a few of you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!

Jamf Nation Community

Enable User for FV2 with Validation Loop