- Jamf Nation Community
- Products
- Jamf Pro
- Re: how to check if a mac has filevault 2 enabled?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
how to check if a mac has filevault 2 enabled?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2018 05:50 AM
Hi - is the best option to determine if a mac is filevault 2 encrypted using an EA with this command:
fdesetup status ?
thanks.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2018 06:15 AM
Here's the EA that I'm using. I've this pieced together from a both EAs that Rich Trouton created.
#!/bin/bash
CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"
osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')
# Checks to see if the OS on the Mac is 10.x.x. If it is not, the
# following message is displayed without quotes:
#
# "Unknown Version Of Mac OS X"
if [[ ${osvers_major} -ne 10 ]]; then
echo "<result>Unknown Version Of Mac OS X</result>"
fi
# Checks to see if the OS on the Mac is 10.7 or higher.
# If it is not, the following message is displayed without quotes:
#
# "FileVault 2 Encryption Not Available For This Version Of Mac OS X"
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 7 ]]; then
echo "<result>FileVault 2 Encryption Not Available For This Version Of Mac OS X</result>"
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 7 ]] && [[ ${osvers_minor} -lt 13 ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
# If the Mac is running 10.7 through 10.12, but the boot volume
# is not a CoreStorage volume, the following message is
# displayed without quotes:
#
# "FileVault 2 Encryption Not Enabled"
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 through 10.12 and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 || ${osvers_minor} -eq 8 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Size (Converted)/ {print $5,$6;exit}'`
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 9 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
fi
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size (Total)/ {print $5,$6;exit}'`
# This section does 10.7-specific checking of the Mac's
# FileVault 2 status
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 ]]; then
if [ "$CONTEXT" = "Present" ]; then
if [ "$ENCRYPTION" = "AES-XTS" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
echo "<result>FileVault 2 Encryption Status Unknown. Please check.</result>"
fi
fi
fi
else
if [ "$ENCRYPTION" = "None" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.8.x through 10.10.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 8 ]] && [[ ${osvers_minor} -lt 11 ]]; then
if [[ "$ENCRYPTIONEXTENTS" = "No" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTIONEXTENTS" = "Yes" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Fully Secure/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.11.x through 10.12.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]] && [[ ${osvers_minor} -lt 13 ]]; then
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then
# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+
boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type (Bundle)/ {print $3}')
# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.
if [[ "$boot_filesystem_check" = "apfs" ]]; then
# If encrypted, the following message is
# displayed without quotes:
# "FileVault is On."
#
# If encrypting, the following message is
# displayed without quotes:
# "Encryption in progress:"
# How much has been encrypted of of the total
# amount of space is also displayed.
#
# If decrypting, the following message is
# displayed without quotes:
# "Decryption in progress:"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If not encrypted, the following message is
# displayed without quotes:
# "FileVault is Off."
ENCRYPTSTATUS=$(fdesetup status | xargs)
if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
ENCRYPTSTATUS=$(fdesetup status | head -1)
echo "<result>$ENCRYPTSTATUS</result>"
else
ENCRYPTSTATUS=$(fdesetup status | tail -1)
echo "<result>$ENCRYPTSTATUS</result>"
fi
fi
if [[ "$boot_filesystem_check" = "hfs" ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 or higher and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size (Total)/ {print $5,$6;exit}'`
# This section does checking of the Mac's FileVault 2 status if the boot drive is formatted with HFS+
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
else
echo "<result>Unknown filesystem.</result>"
fi
fi
fi
# Remove the temp files created during the script
if [ -f "$CORESTORAGESTATUS" ]; then
rm -f "$CORESTORAGESTATUS"
fi
if [ -f "$ENCRYPTSTATUS" ]; then
rm -f "$ENCRYPTSTATUS"
fi
if [ -f "$ENCRYPTDIRECTION" ]; then
rm -f "$ENCRYPTDIRECTION"
fi
exit 0Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2018 06:43 AM
wow, thanks. pretty extensive!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2018 07:02 AM
@tranatisoc If you want a simple yes or no from the EA, then yeah you can build an EA from that basic fdesetup status command. if you want more extensive results, then @mottertektura's script is the way to go.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-23-2018 07:42 AM
This is built into JAMF, no need to reinvent the wheel.
