Help

FileVault Password Change Script

primalcurve
New Contributor III

Posted on ‎04-07-2017 09:23 AM

Hi All,

I've finally moved to publishing some of my more useful junk. Here's a much-discussed issue that we fixed internally with a collaborative script that I finalized. This is a version that is scrubbed of our environment's details.

Any pro-tips on password handling in scripts are appreciated. This works, but is by no means the limit of perfection.

https://github.com/primalcurve/macsupportpub/blob/master/scripts/FileVault_Sync_Scrubbed.sh

Much love to @typingpool and @Janowski for their contributions.

0 Kudos
2 REPLIES 2

ShadowGT
New Contributor III

Posted on ‎04-07-2017 11:09 AM

Hi @primalcurve ,

You put together a great work flow, I have something similar in my environment.

What I would probably add:
1. Check for Internal Network (Unless you AD is external)
2. Domain Remediation (Try to fix the environment by rebinding attempted if no connected)

Also, I like what you did with the FileVault 2 add and removable, I thought of something similar and I like your approach.

What I ultimately found was the 'createmobileaccount' command did the proper resync of the users account with FileVault.

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n "username"

What happens is the users account profile is re-pulled and applied even to the FV lock screen. It takes a little time depending on enviroment.

Since this is not instantaneous and for best result, I also request the user to logout.

Upon login the users account should reflect the FV lock.

Hopefully this helps perfect your script :)

0 Kudos

primalcurve
New Contributor III

Posted on ‎04-07-2017 11:52 AM

Some great tips. Thank you for your response, @ShadowGT .

  1. This is actually handled in scope. This policy is only available when the computer is on one of our network segments. I could still add this feature, but so far it seems to work well enough.
  2. Yes! This is totally in the pipeline. I'm working out a best practice for doing this. I already have a policy in place, but I'm not yet ready to make it automatic. I can scrub my rebind policy and put that up. It's pretty fun too.

I'm totally trying out that createmobileaccount trick. If that works in our environment, I can absolutely automate that. Thanks!

0 Kudos