Skip to main content
Solved

FileVault User Add script Help


Forum|alt.badge.img+7

Hi Everyone,

I have been given a script by JAMF to help with adding users to the FileVault list at login via a policy, we have a epic amount of Freelancers and they are not always the type to bring the machine back to have themselves enabled, they will then go on a shoot/leave the building and cannot access the machine.

Here is what I got from JAMF:

#!/bin/bash

####################################################################################################
#
# Copyright (c) 2013, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
# This script was designed to enable the currently logged in user's account the ability to unlock
# a drive that was originally encrypted with the management account using a policy from the JSS.
# The script will prompt the user for their credentials.
# # This script was designed to be run via policy at login or via Self Service. The encryption
# process must be fully completed before this script can be successfully executed. #
####################################################################################################
# # HISTORY
#
# -Created by Bryson Tyrrell on November 5th, 2012
# -Updated by Sam Fortuna on July 31, 2013
# -Improved Error Handling
#
####################################################################################################
#
## Self Service policy to add the logged in user to the enabled list
## of FileVault 2 users.

## Pass the credentials for an admin account that is authorized with FileVault 2
adminName=$4
adminPass=$5

if [ "${adminName}" == "" ]; then echo "Username undefined. Please pass the management account username in parameter 4" exit 1
fi

if [ "${adminPass}" == "" ]; then echo "Password undefined. Please pass the management account password in parameter 5" exit 2
fi

## Get the logged in user's name
userName=logname

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'
if [ "${userCheck}" == "${userName}" ]; then echo "This user is already added to the FileVault 2 list." exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=fdesetup status
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then echo "The encryption process has not completed, unable to add user at this time." echo "${encryptCheck}" exit 4
fi

## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

echo "Adding user to FileVault 2 list."

## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
expect -c "
log_user 0
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
log_user 1
expect eof
"
## This second user check sees if the logged in account was successfully added to the FileVault 2 list
userCheck=fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'
if [ "${userCheck}" != "${userName}" ]; then echo "Failed to add user to FileVault 2 list." exit 5
fi

echo "${userName} has been added to the FileVault 2 list."

exit 0

And this is what I am getting from the logs when it runs:

Executing Policy FVUserEnable...
Mounting ldnlwwjss01.emea.corp.ipgnetwork.com to /Volumes/CasperShare...
Running script addCurrentUser.sh...
Script exit code: 5
Script result: Prompting room.one for their login password.
Adding user to FileVault 2 list.

Error: Authentication of FileVault failed.
Failed to add user to FileVault 2 list.

It seems to be failing when trying to return the user password saying that authentication failed, I have added the admin username and password into the JAMF policy on parameter 4/5 which is where I am assuming that adminName and adminPass are getting their info from.

Any help would be awesome! Thanks!

Best answer by stevewood

Okay, rather than mess around with expect, you can try doing it the way I've done it, and that is with a plist file instead. Try this script and see if it works for you:

#!/bin/bash

####################################################################################################
#
# Copyright (c) 2013, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
# This script was designed to enable the currently logged in user's account the ability to unlock
# a drive that was originally encrypted with the management account using a policy from the JSS.
#   The script will prompt the user for their credentials.
#   
#   This script was designed to be run via policy at login or via Self Service. The encryption
#   process must be fully completed before this script can be successfully executed. 
#
####################################################################################################
# 
# HISTORY
#
#   -Created by Bryson Tyrrell on November 5th, 2012
#   -Updated by Sam Fortuna on July 31, 2013
#   -Improved Error Handling
#
####################################################################################################
#
## Self Service policy to add the logged in user to the enabled list
## of FileVault 2 users.

## Pass the credentials for an admin account that is authorized with FileVault 2
adminName=$4
adminPass=$5

if [ "${adminName}" == "" ]; then
echo "Username undefined. Please pass the management account username in parameter 4"
exit 1
fi

if [ "${adminPass}" == "" ]; then
echo "Password undefined. Please pass the management account password in parameter 5"
exit 2
fi

## Get the logged in user's name
userName=`logname`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" == "${userName}" ]; then
echo "This user is already added to the FileVault 2 list."
exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed, unable to add user at this time."
echo "${encryptCheck}"
exit 4
fi

## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

echo "Adding user to FileVault 2 list."

# create the plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$4'</string>
<key>Password</key>
<string>'$5'</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>'$userName'</string>
        <key>Password</key>
        <string>'$userPass'</string>
    </dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist

# now enable FileVault
fdesetup add -i < /tmp/fvenable.plist

## This second user check sees if the logged in account was successfully added to the FileVault 2 list
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" != "${userName}" ]; then
echo "Failed to add user to FileVault 2 list."
exit 5
fi

echo "${userName} has been added to the FileVault 2 list."

## clean up
if [[ -e /tmp/fvenable.plist ]]; then
    srm /tmp/fvenable.plist
fi
exit 0
View original
Did this topic help you find an answer to your question?

39 replies

Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

I forgot to say that we are using Active Directory accounts to log in with....


emily
Forum|alt.badge.img+24
  • Employee
  • 870 replies
  • October 15, 2014

Is there any reason you don't have the FileVault2 initialization use the Current or Next User for the FV2 user? You can always push a local admin account as another enable user via policy afterwards…


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

The current and next user is already enabled but that only runs on the next current user and not on a rolling setup. We have so many freelancers that it is a huge manual procedure for us to keep following up with them to have their account enabled before they leave the building, we would be getting calls 24/7 for this issue....


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

Sorry just to clarify that this script is run on an already encrypted machine with public keys and institutional keys already pre-defined it is literally to add the user account to the Filevault enabled users list...


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 15, 2014

@Treger you said you're using AD for your users, are the users mobile accounts or not? If the user account does not exist on the local machine, FV will not add them. You can check to see if the users are there by simply using dscl to list the users:

dscl . list /Users

I would also verify on one system that the admin user/pass that you are using is in fact working. The error you are receiving, "Authentication of FileVault Failed" sounds more like an admin user/pass issue than an issue with the user.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

Hi Steve, yes they are mobile account enabled, however when I run that command I get <dscl_cmd> DS Error: (eDSUnknownNodeName) I will check the Admin account again, maybe I have put it in the wrong place...


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 15, 2014

If you're getting an error running that dscl command, you might have bigger problems. That command lists the local users on your system and should return a bunch of users.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

Looks like it is re-imaging time... I think I have abused this teat machine a little too much.... I re-mated this morning to start fresh as I was having the same issue yesterday, let me re do it and try again....


Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • October 15, 2014

Be sure you've entered the dscl command in correctly. Make sure you have the spaces in the right locations as Steve posted.
Also, no trailing slash after /Users. Anything not exactly right can generate the DS Error.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

agh there got it put an extra / on the end.... DOH!


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

Yeh still the same error, I have now set the parameters within the script on Casper Admin and it still saying authentication for FileVault failed.... and the user I am using is definitely enabled....


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 15, 2014

I'm assuming you are doing this on a test machine. Have you tried manually running fdesetup to add the user as a test?

fdesetup add -usertoadd <username>

You can then remove the user with:

fdesetup remove <username>

Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

Ok, I have only been able to add it as root it not allowing me to remove it though, saying user not specified. I have even tried through System Prefs and its not having it....


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 15, 2014

And if you do

fdesetup list

Does it show the user you just added? You should be able to remove that user using either Security pref pane or fdesetup.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

It shows up in the list... but ran the command again and it still says user not specified, I am typing fdesetup remove test.account just to confirm...


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 15, 2014

My mistake, I had the syntax wrong:

fdesetup remove -user username

Try that.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

Ahh, good, shout, gone now....


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 15, 2014

I have substituted the Admin for root now on the script and it still now having it....


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 16, 2014

Question - when I define the Parameters in Casper do they need a " or '? Has anyone got an example for this? I have the Labels set fine but I am just concerned about they way I have defined the values...?


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 16, 2014

I think I see where the problem might be. Are these machines all 10.9? I haven't verified this on a 10.8 machine, but on 10.9 your expect statement in the script would be wrong. In this block of code:

echo "Adding user to FileVault 2 list."

## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
expect -c "
log_user 0
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
log_user 1
expect eof

When you use the command "fdesetup add -usertoadd $userName" the response back by fdesetup is this:

Enter a password for '/', or the recovery key:

So the expect portion should be like this:

echo "Adding user to FileVault 2 list."

## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
expect -c "
log_user 0
spawn fdesetup add -usertoadd $userName
expect "*?or the recovery key:"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
log_user 1
expect eof

You'll want to test that out, but I believe that is the right syntax for the expect statement. FV2 does not ask for the admin user, at least not in my environment, it simply asks for the password or recovery key for FV2.

You can test by manually running fdesetup like you did before and watch what the syntax is. When I run fdesetup I get the prompt asking for password or recovery key.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 16, 2014

Hi Steve, thanks for coming bad, yes they will be 10.9 machines I have tried this and it has returned on the policy log:

Executing Policy FVUserEnable...
Running script addCurrentUserEdited.sh...
Script exit code: 5
Script result: Prompting room.one for their login password.
Adding user to FileVault 2 list.
couldn't read file "the": no such file or directory
Failed to add user to FileVault 2 list.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 16, 2014

I am assuming that that is an issue with the expect "*?or the recovery key:" part of this, if I substitute that for Enter a password for '/', or the recovery key: Do you think that will resolve the issue?


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • Answer
  • October 16, 2014

Okay, rather than mess around with expect, you can try doing it the way I've done it, and that is with a plist file instead. Try this script and see if it works for you:

#!/bin/bash

####################################################################################################
#
# Copyright (c) 2013, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
# This script was designed to enable the currently logged in user's account the ability to unlock
# a drive that was originally encrypted with the management account using a policy from the JSS.
#   The script will prompt the user for their credentials.
#   
#   This script was designed to be run via policy at login or via Self Service. The encryption
#   process must be fully completed before this script can be successfully executed. 
#
####################################################################################################
# 
# HISTORY
#
#   -Created by Bryson Tyrrell on November 5th, 2012
#   -Updated by Sam Fortuna on July 31, 2013
#   -Improved Error Handling
#
####################################################################################################
#
## Self Service policy to add the logged in user to the enabled list
## of FileVault 2 users.

## Pass the credentials for an admin account that is authorized with FileVault 2
adminName=$4
adminPass=$5

if [ "${adminName}" == "" ]; then
echo "Username undefined. Please pass the management account username in parameter 4"
exit 1
fi

if [ "${adminPass}" == "" ]; then
echo "Password undefined. Please pass the management account password in parameter 5"
exit 2
fi

## Get the logged in user's name
userName=`logname`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" == "${userName}" ]; then
echo "This user is already added to the FileVault 2 list."
exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed, unable to add user at this time."
echo "${encryptCheck}"
exit 4
fi

## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

echo "Adding user to FileVault 2 list."

# create the plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$4'</string>
<key>Password</key>
<string>'$5'</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>'$userName'</string>
        <key>Password</key>
        <string>'$userPass'</string>
    </dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist

# now enable FileVault
fdesetup add -i < /tmp/fvenable.plist

## This second user check sees if the logged in account was successfully added to the FileVault 2 list
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" != "${userName}" ]; then
echo "Failed to add user to FileVault 2 list."
exit 5
fi

echo "${userName} has been added to the FileVault 2 list."

## clean up
if [[ -e /tmp/fvenable.plist ]]; then
    srm /tmp/fvenable.plist
fi
exit 0

Forum|alt.badge.img+7
  • Author
  • Contributor
  • 96 replies
  • October 16, 2014

SUCESS!!! I did the plist option before but I it kept over writing my recovery keys. Thanks so much Steve!! you have saved me a world of hurt!!!


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 16, 2014

Glad it worked. I should have had you try that yesterday. :-)


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings