Help

Filevault Management Account

Go to solution
CH4RL35
New Contributor II

Posted on ‎10-27-2017 11:30 AM

Hi, I'm trying to find a way to enable file-vault for the management account without having to do it manually (System Preferences > Security & Privacy > Filevault > Enable Users).

Any Suggestions???

Reply
1 ACCEPTED SOLUTION

Go to solution
lkrasno
Contributor II

Posted on ‎10-30-2017 01:52 PM

@CH4RL35 I've written a quick multipurpose script which takes into account the time gap mentioned by @rrs and also handles user notification, its scoped to machine that started the encryption policy (self service) 

#!/bin/bash

# script checks for completion of FV2 encryption to alert user and enables admin account (post reboot) 

fvstatus=$(fdesetup list)

while [ -z "$fvstatus" ]; do
        sleep 300
        fvstatus=$(fdesetup list)

        done

echo $fvstatus
'/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -windowType hud -windowPosition ur -heading "IS ALERT" -description "Hard Drive Encryption Complete" -icon /Applications/Apple Service.app/Contents/Resources/Self Service.icns/

jamf policy -trigger enableManagmentAccount

exit 0

View solution in original post

Reply
7 REPLIES 7

Go to solution
gachowski
Valued Contributor II

Posted on ‎10-27-2017 02:28 PM

@CH4RL35

While I'm not an expert, I don't think it's possible unless there is another FV2 enable account on the machine that you have the log-in info for.

Here is the expert...

https://derflounder.wordpress.com/?s=fileVault

C

0 Kudos
Reply

Go to solution
alexjdale
Valued Contributor III

Posted on ‎10-27-2017 03:18 PM

As you can imagine, this would be a huge security gap if you could enable an account for FileVault without having credentials capable of unlocking the drive. If you do, you can do it with fdesetup.

0 Kudos
Reply

Go to solution
rrs
New Contributor II

Posted on ‎10-29-2017 05:42 PM

If you deployed FV2 to the user through the JSS and the JSS has the encryption keys then you can create another policy scoped to those machines which enables FV for the management account. It's under policy>management account>enable user for filevault 2

976d3bf12c16401ebfffd90ae1db6f63

Note that if you do it this was there is a time gap between when a computer is encrypted and when the management account has access to unlock the drives on it and how long that gap is depends on how frequent your inventory updates are. A good way to CYA would be to issue an institutional key as well so that you have some way of unlocking a drive in a disaster situation.

0 Kudos
Reply

Go to solution
lkrasno
Contributor II

Posted on ‎10-30-2017 01:52 PM

@CH4RL35 I've written a quick multipurpose script which takes into account the time gap mentioned by @rrs and also handles user notification, its scoped to machine that started the encryption policy (self service) 

#!/bin/bash

# script checks for completion of FV2 encryption to alert user and enables admin account (post reboot) 

fvstatus=$(fdesetup list)

while [ -z "$fvstatus" ]; do
        sleep 300
        fvstatus=$(fdesetup list)

        done

echo $fvstatus
'/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -windowType hud -windowPosition ur -heading "IS ALERT" -description "Hard Drive Encryption Complete" -icon /Applications/Apple Service.app/Contents/Resources/Self Service.icns/

jamf policy -trigger enableManagmentAccount

exit 0
Reply

Go to solution
CH4RL35
New Contributor II

Posted on ‎11-03-2017 04:09 AM

Thanks!

0 Kudos
Reply

Go to solution
luke_gorham
New Contributor II

Posted on ‎12-11-2017 03:17 PM

How are people handling this with High Sierra now? Reading fdesetup;

Because APFS volumes require an OD authentication before it will allow for thechange, the current recovery key cannot be used for the authentication. On CoreStorage volunes the -key option can be used to unlock FileVault. More information on this is described elsewhere in this document.

Workflow used be enable for the user with a redirected key to the JSS so we could unlock and then add the management account. Looks like now it needs to have the management account done first at provisioning and then adding in the end user?

0 Kudos
Reply

Go to solution
alexjdale
Valued Contributor III

Posted on ‎12-11-2017 04:24 PM

I'm finding that we will have to create a local admin account just to store a secure token that we can then use to give secure tokens to other accounts, like our AD account or our management account.

JAMF needs to get on this ASAP and build secure token management into JAMF Pro. It's breaking all of our FV processes and I'm having to do less secure things to work with something that is supposed to increase security.

Reply