Help

Management Account Loses Ability to Unlock FileVault

ichavez
New Contributor

Posted on ‎09-19-2023 10:49 AM

Hello,

Lately in our environment, our local management account on Mac has lost the ability to log in because it is no longer Filevault unlockable. When we set up our Macs, we enable FileVault via Jamfs config profile and policy using DEPNotify. Once DEPNotify is complete, we manually run this script to enroll the local management account to FileVault:

 

 

#!/bin/bash

admin_account="${4}"
admin_password="${5}"

status=$(sysadminctl -secureTokenStatus ${admin_account} 2>&1 | awk '{print $7}')
filevault=$()

if [[ "${status}" == "DISABLED" ]]; then

	if [[ $? = 0 ]]; then
		
		userName=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
		
		
		triesCount=0
		
		while true; do
			## Prompt for Password
			userPass=$(osascript << EOL
tell application "System Events" to text returned of (display dialog "Please enter your Mac login password to complete configuration of FileVault 2. Contact your IT Support Team if you have any questions. Thank you." default answer "" buttons {"OK"} default button 1 with hidden answer)
EOL
)
			
			dscl . authonly "${userName}" "${userPass}" &> /dev/null; resultCode=$?
			if [ "$resultCode" -eq 0 ];then
				echo "Password Check: PASSED"
				
				sysadminctl -secureTokenOn "${admin_account}" -password "${admin_password}" -adminUser "${userName}" -adminPassword "${userPass}"
				
cat << EOF > /tmp/inputplist.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>Username</key>
<string>${userName}</string>
<key>Password</key>
<string>${userPass}</string>
<key>AdditionalUsers</key>
<array>
	<dict>
		<key>Username</key>
		<string>${admin_account}</string>
		<key>Password</key>
		<string>${admin_password}</string>
	</dict>
</array>
</dict>
</plist>"
EOF
				fdesetup add -inputplist < /tmp/inputplist.plist
				rm /tmp/inputplist.plist
				break
			else
				# Prompt for User Password
				echo "Password Check: WRONG PASSWORD"
				triesCount=$((triesCount+1))
				
				if [[ ${triesCount} -gt 3 ]]; then
					"${jamfHelper}" -windowType utility -title "Filevault" -heading "FileVault requires your attention" -description "There was a problem validating your password. Please contact IT." -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" -button1 "OK" -defaultButton 1
					break
				fi
			fi
		done
	fi
fi

 

 

We are able to see the the management account under "sudo fdesetup list". It is after a few days or weeks where the account is no longer under that list. 

It is for sure that we do not uneroll this user from Filevault and users do not have the knowledge to do so, at least in this large quantities. This even happened on my Mac where I can guarantee I did not do such thing. 

We do use EasyLaps for this management account. Not sure if that has anything to do with this issue but it is a detail.

Labels:
0 Kudos
Reply
0 REPLIES 0