Posted on 04-27-2016 05:20 PM
I have users that have enabled FileVault 2 on their computers already. We are moving forward with mandatory FileVault 2 on all devices with an institutional key.
Is there a way to add an institutional key without decrypting and recrypting the computers with FileVault 2 already enabled? I found this kbase article, but it doesn't apply since the applied user is not the management account.
Thanks in advanced!
Solved! Go to Solution.
Posted on 04-28-2016 07:43 AM
@ryoshioka, you'd have to know the FIlevault password of the account that's already enabled. You could then use the inputplist functionality of fdesetup to add the management account to FileVault. That's what we do in this situation.
For Example, I have a policy that runs the below script to add our management account to FV. You can extend this script with a little user interaction to prompt them for their current filevault credentials.
#!/bin/bash
set -o nounset # Treat unset variables as an error
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
PLIST_TEMP=`mktemp PL.XXXXXXX`
cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>management_account</string>
<key>Password</key>
<string>management_password</string>
</dict>
</array>
</dict>
</plist>
EOF
/usr/bin/fdesetup add -inputplist < $PLIST_TEMP
srm -m $PLIST_TEMP
Just make sure to update the username and password keys for your environment.
If you need to later remove the management account you can do it with this script:
#!/bin/bash
set -o nounset # Treat unset variables as an error
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
PLIST_TEMP=`mktemp PL.XXXXXXX`
cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
</dict>
</plist>
EOF
/usr/bin/fdesetup remove -user management_account < $PLIST_TEMP
srm -m $PLIST_TEMP
Posted on 04-27-2016 06:04 PM
The kbase is correct and it works. The policy will run as the management account.
The Institutional key will replace the Individual key the user received when they encrypted the drive. The user will need IT assistance if they forget their password or if the user account is somehow corrupted where they cannot login at the FV2 login screen after shutdown or restart.
Posted on 04-27-2016 06:58 PM
@chiguchi, but one of the requirements that needs to be met to follow the kbase article is either "The management account configured as the enabled FileVault 2 user" or "An existing, valid individual recovery key that matches the key stored in the JSS" and currently none of those conditions are met.
Is there a way for me to make the management account an enabled FileVault 2 user? Then I could follow the kbase article.
Posted on 04-28-2016 07:43 AM
@ryoshioka, you'd have to know the FIlevault password of the account that's already enabled. You could then use the inputplist functionality of fdesetup to add the management account to FileVault. That's what we do in this situation.
For Example, I have a policy that runs the below script to add our management account to FV. You can extend this script with a little user interaction to prompt them for their current filevault credentials.
#!/bin/bash
set -o nounset # Treat unset variables as an error
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
PLIST_TEMP=`mktemp PL.XXXXXXX`
cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>management_account</string>
<key>Password</key>
<string>management_password</string>
</dict>
</array>
</dict>
</plist>
EOF
/usr/bin/fdesetup add -inputplist < $PLIST_TEMP
srm -m $PLIST_TEMP
Just make sure to update the username and password keys for your environment.
If you need to later remove the management account you can do it with this script:
#!/bin/bash
set -o nounset # Treat unset variables as an error
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
PLIST_TEMP=`mktemp PL.XXXXXXX`
cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
</dict>
</plist>
EOF
/usr/bin/fdesetup remove -user management_account < $PLIST_TEMP
srm -m $PLIST_TEMP
Posted on 04-28-2016 01:59 PM
@Berrier, gotcha. I'll have to test these out on a test device before rolling this out to our users.
Posted on 08-19-2016 03:13 PM
Finally got a chance to test your script, worked like a charm! Thank you very much.
Posted on 08-22-2016 05:39 AM
@ryoshioka, excellent! You're welcome!