- Jamf Nation Community
- Products
- Jamf Pro
- Re: Policy to bypass FileVault 2?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-16-2013 03:39 PM
I've thrown this out to the Support folks, and I don't know what sort of answer they will come back with, therefore I'm throwing this out to the community at large.
We use FileVault 2 admin'd by the JSS for our encryption on all of our workstations. We're slow to get updates out because we want to verify them and when an update requires a restart, we're unable to complete a reboot due to filevault. Has anyone run across this solution or a mechanism to pass an fdesetup -authrestart through to an end workstation via policy? The JSS has got the master password, since the JSS kicks off the encryption, but I don't see anyway to automatically initiate that. Thoughts?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 06:47 PM
In Mountain Lion, the way to get what @easyedc is after would be to use fdesetup -authrestart. This could be automated with a script that includes feeding a username and password to fdesetup -authrestart. As @gregneagle noted, that'll mean passing a password in plaintext at some point.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-16-2013 09:45 PM
Not sure I get the question, authrestart bypasses the need to enter a password to get past the pre-boot phase, so any users that can login past that should be able to view the system over VNC/ARD etc. You wouldn't need to interact with any master password(by which I'm thinking you mean encryption key.) Pardon if I'm off-base. (I'd also rename this question to 'authrestart usage,' since you're not necessarily in need of bypassing filevault itself, just the post-reboot lock that would occur. Again, sorry if I'm misinterpreting.)
Allister
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 08:21 AM
If I read correctly, it sounds like they want to do remote pushing of updates but also be able to verify said update has run correctly, thus bypass FV2 pre boot login. And as Allister said, fdesetup -authrestart should do exactly what your asking although it is not supported on every model according to the man page I'm reading.
The first reboot though to just enable FV2, that I think you're going to need to some sort of user interaction no matter what IIRC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 08:27 AM
"fdesetup -authrestart should do exactly what your asking"
But requires passing an authorized username and password in plaintext, so is not really something to embed in a script if you care about security.
And if you are using FileVault 2, we can presume you care (a bit) about security.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 08:31 AM
Off Topic tangent ahead
Of course this could also be another case of "checkbox compliance" http://www.darkreading.com/compliance/can-we-cease-check-box-compliance/240153220
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 09:01 AM
Yes, but fdesetup -authrestart requires knowing a) the primary FileVault 2 account's password, or b) having the Recovery Key, or c) access to the institutional key converted into a keychain. You can't just call it programmatically in an automated way without having some specific information.
Since we can't pull the FV2 Recovery key from the Casper Suite API (its stored in an encrypted field in the db, so no worky) it doesn't leave many options for automating something like this. And I think automating that as part of a update/maintenance policy is what @easyedc is after here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 06:47 PM
In Mountain Lion, the way to get what @easyedc is after would be to use fdesetup -authrestart. This could be automated with a script that includes feeding a username and password to fdesetup -authrestart. As @gregneagle noted, that'll mean passing a password in plaintext at some point.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-21-2013 05:19 AM
I brought this up in a discussion at JNUC last week, and several people chimed in when I posted the question to @rtrouton and from all my testing, it looks like that would be the only option. I did find out that there is a Feature request to add this ability https://jamfnation.jamfsoftware.com/featureRequest.html?id=1255 so I've thrown my 2¢ behind that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-21-2013 05:41 AM
@easyedc You'll want to direct your FR at Apple, not JAMF. This is a feature that would need to be implemented in authrestart; very little to be done about it by JAMF, I'm afraid.
Edit: On second thought, this could be an automated SSH process similar to how they initiate screen sharing in Remote. Still, I think Apple needs to provide a way.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-21-2013 03:10 PM
Just a thought - Use something like platypus http://sveinbjorn.org/platypus to create an application bundle with an encrypted shell script that does the authrestart with a filevault owner's username/password.
