Jamf Nation Community

roiegat · ‎04-09-2014

We have a overlay we put on our customers machines. When the user first logs in it runs the FileVault 2 Individual policy and puts it on the machine. When the user logs off it forces the authentication.

The issue is that some users rarely log off, and some of those that do have been clicking the cancel button to ignore the authentication.

So were looking at ways to ensure that encryption gets started to meet our security teams standards. My first thought would be to force a reboot once the policy is run. But that would impede the user experience a bit.

So my next though would be to see if we can force the authentication without having the user log out or reboot. This way we could push the script daily until we can verify the encryption has started.

Any ideas? What are other companies doing to ensure encryption has started?

mm2270 · ‎04-09-2014

We face a similar issue here. Although the majority of our users are good corporate citizens and enable FV2 when prompted, we have a few bad apples that keep clicking Cancel and never enable it. This is a big no-no here as we have to ensure FDE is enabled on our laptop fleets, Mac and Windows.
The thing is, when using the deferred enablement option, the user MUST enter their password at a user initiated logout. You can't really programmatically enable it for them in that mode.

To that end, we have been working on/testing a process for some time now where we can lock a user out of their Mac once logged in if it sees FV2 isn't enabled. Then initiate a log out and ask for the password. It can continue to do this over and over on each login immediately until they enable it and reboot the Mac to complete the process. We still need to work out some kinks with this process though, Mavericks in particular added some additional complexities due to the even more aggressive sandboxing.

roiegat · ‎04-09-2014

I think thats what were going to have to look into as well. Hopefully we can get it approved by our management.

gachowski · ‎04-09-2014

I have not fully read this link or test the script, but I think this is the starting point.

https://jamfnation.jamfsoftware.com/discussion.html?id=9902

C

roiegat · ‎04-10-2014

Thanks Gachowski.

Link has some great stuff in there. But essentially if a user want to cancel all the efforts - they can. Frustrating. But we'll just have to annoy the users with the script on a daily basis until they comply.

gachowski · ‎04-10-2014

Yep, that is an Apple issue, I recommend that you open a tix/reachout to Apple about a zero touch FileVault deployment with Casper. ( that is the title of mine ) : )

I was counting on annoying the crap out of my users until they did comply : )

C

Olivier · ‎04-11-2014

+1 here : we also have users that rarely log off, and that impact amount of Macs being encrypted.

As we also do some NAC on our network, we might include one day a check to see if FV is enabled and if not, redirect the user to a captive portal to annoy him, or move to guest VLAN because of non-compliant device.

mikevos · ‎02-09-2015

I would like to see the same feature.

The way I force users to enable FileVault now, is the 'Carrot and stick' approach.
Just make sure the users are unable to perform certain tasks / install needed software / configure services until they enable FileVault.
This works for me, so far.

jesseshipley · ‎02-09-2015

My FDE setup for users is a script that uses a CocoaDialog window to capture their password. It then writes that variable to a plist file to import and enable FileVault with the -inputlist trigger. Once the FileVault process finishes the plist is delete and I popup another dialog that asks them to restart. They can cancel if they want but the FileVault encryption is still primed for whenever they restart (i.e. on restart or logout the do not see a popup asking for their password that they can cancel indefinitely.) I then have the option to force a reboot on them later if I so choose. If this sounds like something that would be useful to you let me know and i'll post the script.

nkalister · ‎02-09-2015

I do it the same as jesse- use cocoa dialog to get the user's password, then use a plist to enable filevault without a prompt. Only thing to keep in mind is that your individual recovery key (if generated) will NOT be automatically escrowed to your JSS since Filevault wasn't enabled from a Casper policy. I use the Filevault Key Redirect profile to get the individual recovery keys onto our JSS.

MarcosMunoz · ‎03-10-2015

jesseshipley/nkalister - Would you kindly share your script or an example of it. So, that we may tailor and implement it in our own environments?

Thanks!

jesseshipley · ‎03-10-2015

Here is my script. It require that you use CocoaDialog. I keep it as a required installation item on our machines in the /Applications/Utilities folder.

In this script it pops up asking for the admin password and then the user password. Would be easy to change it so the admin password is hardcoded. The user would never be able to see it but it would be in plaintext in the JSS. Additionally, I've considered building in logic to handle when you make a typo but have just been typing carefully instead. Let me know if you have any questions about it.

#!/bin/sh
#get admin password
adminPassword=$(/Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog secure-standard-inputbox --title "FileVault" 
    --informative-text "Please enter the admin password:" 
    --button1 "Next")

adminPassword=$(tail -n1 <<<"$adminPassword")

#get username and password
user=`ls -la /dev/console | cut -d " " -f 4`
password=$(/Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog secure-standard-inputbox --title "FileVault" 
    --informative-text "Please enter your password:" 
    --button1 "Restart")

password=$(tail -n1 <<<"$password")

#create plist for enabling filevault and activating currently logged in user and admin account
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>admin</string>
<key>Password</key>
<string>'$adminPassword'</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>'$user'</string>
        <key>Password</key>
        <string>'$password'</string>
    </dict>
</array>
</dict>
</plist>' >> /fdesetupTEMP.plist

# create a named pipe
rm -f /tmp/enableFV
mkfifo /tmp/enableFV

# create a background job which takes its input from the named pipe
/Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog progressbar 
--indeterminate --title "Configuring FileVault" 
--text "Please wait..." < /tmp/enableFV &

# associate file descriptor 3 with that pipe and send a character through the pipe
exec 3<> /tmp/enableFV
echo -n Please wait... >&3

# do all of your work here
fdesetup enable -inputplist < /fdesetupTEMP.plist
output=$(echo $?)

# now turn off the progress bar by closing file descriptor 3
exec 3>&-

# wait for all background jobs to exit
wait
rm -f /tmp/enableFV

if [ $output == 0 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "FileVault has been successfully configured"
        --informative-text "Please restart to complete setup" 
        --button1 "Reboot"
    shutdown -r now
fi
if [ $output == 1 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "FileVault is Off. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 2 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "FileVault appears to be On but Busy. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 11 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Authentication error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 12 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Parameter error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 13 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Unknown command error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 14 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Bad command error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 15 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Bad input error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 16 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Legacy FileVault error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 17 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Added users failed error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 18 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Unexpected keychain found error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 19 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Keychain error. This usually means the FileVaultMaster keychain could not be moved or replaced. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 20 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Deferred configuration setup missing or error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 21 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Enable failed (Keychain) error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 22 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Enable failed (CoreStorage) error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 23 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Enable failed (DiskManager) error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 24 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Already enabled error. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 25 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Unable to remove user. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 26 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Unable to change recovery key. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 27 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Unable to remove recovery key. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 28 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "FileVault is either off, busy, or the volume is locked. Please configure manually." 
        --button1 "OK"
fi
if [ $output == 99 ]; then
    rm -rf /fdesetupTEMP.plist
    /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog msgbox --title "FileVault" 
        --text "Sorry, had some trouble."
        --informative-text "Internal error. Please configure manually." 
        --button1 "OK"
fi

nkalister · ‎03-10-2015

My script isn't substantially different from Jesse's. Also, that's a nice little guide for the different fdesetup error codes in there!

The only thing I do that isn't happening in Jesse's script is checking for the key redirect profile, and installing it if it's not there.
That's done like this:

FV2_profile=`/usr/bin/profiles -P | grep "2F72A341-9835-4727-B166-E95F4A466E35"`
    if [[ $FV2_profile == "" ]]; then
        logger "Key Redirect Profile not found!  Running policy to attempt installation."
        jamf policy -event "fv_key_redirect"
    else
        logger "Filevault 2 Key Redirect profile found.  Script will proceed."
    fi

The grep value is the profile's identifier, so you'll need to use the UUID for your actual profile.

Jamf Nation Community

Force user authentication to start FileVault 2 encryption