Skip to main content
Question

FileVault Password Change Script


Forum|alt.badge.img+4

Hi All,

I've finally moved to publishing some of my more useful junk. Here's a much-discussed issue that we fixed internally with a collaborative script that I finalized. This is a version that is scrubbed of our environment's details.

Any pro-tips on password handling in scripts are appreciated. This works, but is by no means the limit of perfection.

https://github.com/primalcurve/macsupportpub/blob/master/scripts/FileVault_Sync_Scrubbed.sh

Much love to @typingpool and @Janowski for their contributions.

2 replies

Forum|alt.badge.img+2
  • New Contributor
  • 16 replies
  • April 7, 2017

Hi @primalcurve ,

You put together a great work flow, I have something similar in my environment.

What I would probably add:
1. Check for Internal Network (Unless you AD is external)
2. Domain Remediation (Try to fix the environment by rebinding attempted if no connected)

Also, I like what you did with the FileVault 2 add and removable, I thought of something similar and I like your approach.

What I ultimately found was the 'createmobileaccount' command did the proper resync of the users account with FileVault.

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n "username"

What happens is the users account profile is re-pulled and applied even to the FV lock screen. It takes a little time depending on enviroment.

Since this is not instantaneous and for best result, I also request the user to logout.

Upon login the users account should reflect the FV lock.

Hopefully this helps perfect your script :)


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 11 replies
  • April 7, 2017

Some great tips. Thank you for your response, @ShadowGT .

  1. This is actually handled in scope. This policy is only available when the computer is on one of our network segments. I could still add this feature, but so far it seems to work well enough.
  2. Yes! This is totally in the pipeline. I'm working out a best practice for doing this. I already have a policy in place, but I'm not yet ready to make it automatic. I can scrub my rebind policy and put that up. It's pretty fun too.

I'm totally trying out that createmobileaccount trick. If that works in our environment, I can absolutely automate that. Thanks!


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings