FileVault SecureTokenStatus Extension Attribute

ammonsc
Contributor II

I am trying to setup an extension attribute that will report wether the current user's SecureToken is enabled or disabled. Here is where I am right now. I want it to just report a Disabled or Enabled and then I can have a smart group based on that criteria that will run a script to enable it for the current user.

#!/bin/bash

# Get the Username of the currently logged user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

# Get SecureTokenStaus
status=$(sudo sysadminctl -secureTokenStaus "$loggedInUser")
echo "<result>$status</result>"
15 REPLIES 15

andrew_nicholas
Valued Contributor

You're likely going to have problems with this because sysadminctl now requires either the interactive or -adminUser flags passed so that it will work. If you're cool with a "most likely" you can still use the fdesetup -list and grep for a user account, which should tell you that its enabled which most likely means that a token is set. Again, this isn't an explicit confirmation but more of a good chance sort of thing.

dfarnworth
New Contributor III

Might also be having problems as the second to last line has a syntax error:

secureTokenStaus

should be

secureTokenStatus

dgreening
Valued Contributor II

The real question is: when will JAMF support this functionality (and other HS specific)? So much for "zero day" support eh? Pretty much everything we have had to do with HS/sysadminctl is a hack workaround, and relies on at best encrypted string obscured clear text passwords in every command.

gachowski
Valued Contributor II

I am not so sure that, all of this falls on Jamf... there were massive changes in HS and it's very obvious that all the player involved weren't ready. I haven't followed this issue super close, but from what I can tell Apple pushed everyone about the deprecated and new config profile keys. I didn't see one Apple doc about the changes to sysadminctl and how that effects fdesetup,

My go to guy about FV Rich Trouton didn't post anything about those changes and he is the non-Apple employee expert.

C

dgreening
Valued Contributor II

Indeed. It is pretty interesting that Apple isn't even keeping Jamf in the loop.

mottertektura
Contributor

@ammonsc Maybe this would work for you?

#!/bin/bash

# Get the Username of the currently logged user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

# Get SecureTokenStaus
secureTokenStatus=$(dscl . -read /Users/$loggedInUser AuthenticationAuthority | grep -o SecureToken)

if [[ $secureTokenStatus == SecureToken ]]; then
    echo "<result>Yes</result>"
else
    echo "<result>No</result>"
fi

achmelvic
New Contributor II

I've spent some time this morning playing around with scripts in an effort to find an easier means of checking all the users that have a secure token and then outputting it, ideally to an extension attribute, slight flaw is my scripting skills ain't great!

So far what I've come up with is this which will show the users with an ID over 400 (our 'hidden' admin account uses 401) check them using sysadminctl. This runs fine manually as a script in terminal and pulls back the results from sysadminctl but I'm kind of stuck of what to do next so get the results to output in a form that is useful for a extension attribute, I'm guessing using awk?

I've tried various things but like I say my bash skills ain't amazing to say the least! Anyone any suggestions?

#!/bin/sh
users=$(dscl /Local/Default -list /Users uid | awk '$2 >= 400 && $0 !~ /^_/ { print $1 }')

for each in $users
do
sysadminctl -secureTokenStatus $each
done

rob_hernandez
New Contributor III

@mottertektura

I spent some time testing your EA and discovered a shortcoming. When SecureToken is removed from an account, a new status of ;DisabledTags;SecureToken is applied to the account. Since the EA doesn't account for the extra status data, it continues to report the account as SecureToken enabled.

mottertektura
Contributor

@rhernandez-gsn

Thanks for the info! I've since moved away from dscl and switched to sysadminctl. Here's my current EA to check. Hope that helps!

#!/bin/bash

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

#Get macOS major and minor versions
osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')

# Get SecureTokenStatus
secureTokenStatus=$(sysadminctl -secureTokenStatus $currentUser 2>&1 | awk '{print$7}')

if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then
    if [[ "$currentUser" == "_mbsetupuser" || "$currentUser" == "root" || "$currentUser" == "" ]]; then
        echo "<result>Not Logged In</result>"
    else
        if [[ $secureTokenStatus == ENABLED ]]; then
            echo "<result>$secureTokenStatus $currentUser</result>"
        elif [[ $secureTokenStatus == DISABLED ]]; then
            echo "<result>$secureTokenStatus $currentUser</result>"
        elif [[ $? != 0 ]]; then
            echo "<result>Failed</result>"
        else
            echo "<result>Unknown</result>"
        fi
    fi
else
    echo "<result>Not Eligible</result>"
fi

bearzooka
Contributor

My grain of salt: an Extension Attribute to create a list with all the users that have a Secure Token enabled.

#!/bin/bash

#Secure Token reporter
#Extension attribute that lists the usernames that have an ENABLED Secure Token
#only on machines running 10.13 or later.

OS_MAJOR=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}')
OS_MINOR=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $2}')

result=""

function listSecureToken {
  userList=$(dscl . list /Users name | awk '{if (substr($1,1,1) != "_") print $1}')
  for user in $userList; do
    enabledUser=$(sysadminctl -secureTokenStatus $user  2>&1  | awk -v user="$user" '{if ($7=="ENABLED") print user}')
    result=( "${result[@]}" "$enabledUser" )
  done
  if [ ${#result[@]} -eq 0 ]; then
    result="No users have a Secure Token"
  fi
}


if [[ "$OS_MAJOR" -eq 10 && "$OS_MINOR" -ge 13 ]]; then
  listSecureToken
else
  result="Older macOS version."
fi

echo "<result>${result[*]}</result>"

exit 0

It could be useful to create Computer Groups based on the presence or lack of Secure Tokens.

benflewis
New Contributor II

@bearzooka Thank you very much for the EA. We are trying to implement it in our environment. However, when there are no users on the Mac that have SecureToken Enabled, it is returning nothing instead of "No users have a Secure Token". Can you advise what might be the issue?

Thank you in advance.

bearzooka
Contributor

@benflewis Hey Ben… I think you could have some sort of typo on that

echo

line, because I just tested it and I got the expected result. I suggest you run it line by line in your Terminal to see first hand what

echo ${result[*]}

does after running the function.

EddyLara
New Contributor II

We use this script to granted our AdminAccount on Secure Token and Enable for Filevault

#!/bin/bash

currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
userPass="$(sudo -u $currentUser /usr/bin/osascript -e 'Tell application "System Events" to display dialog "Please enter your login password to inititate Encryption Fix:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

secureTokenStatus=$(sysadminctl -secureTokenStatus $currentUser 2>&1 | awk '{print $7}')

if [[ $secureTokenStatus == "DISABLED" ]]; then
    echo "User does not have a Secure Token and cannot be used in Filevault Operations"
    exit 1
fi

dseditgroup -o edit -a $currentUser -t user -T group admin

SECURE_TOKEN_USER="$currentUser"
SECURE_TOKEN_USER_PASS="$userPass"
NEW_SECURE_TOKEN_USER="AdminUser"
NEW_SECURE_TOKEN_USER_PASS="AdminPassword"


# Give local admin user secure token using admin user credentials established as part of Setup Assistant
/usr/sbin/sysadminctl -adminUser $SECURE_TOKEN_USER -adminPassword $SECURE_TOKEN_USER_PASS -secureTokenOn "$NEW_SECURE_TOKEN_USER" -password "$NEW_SECURE_TOKEN_USER_PASS"
/bin/echo $?

PLIST_TEMP=`mktemp PL.XXXXXXX`

cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>$currentUser</string>
<key>Password</key>
<string>$userPass</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>AdminUser</string>
        <key>Password</key>
        <string>AdminPassword</string>
    </dict>
</array>
</dict>
</plist>
EOF

/usr/bin/fdesetup add -inputplist < $PLIST_TEMP -verbose

rm $PLIST_TEMP

dseditgroup -o edit -d $currentUser -t user -T group admin

GregE
Contributor

@benflewis Did you end up working it out? I've got the same:

<result> </result>

Works fine if there are token holders, just appears blank if there isn't.

benflewis
New Contributor II

@GregE Sorry, no, we were not able to get it working. Instead we setup an Advanced search that looked for the attribute matching the regex expression ^$

That returned all the devices where the field was blank. You could use that in a Smart Group.