Rebooting and bypassing an encryption login.

CJeffery
New Contributor

Hi,

I would like to add a self service button to reboot a machine which bypasses encryption.

The reason for this is because when performing upgrades/maintenance remotely via Remote Desktop, Casper Remote etc.

When rebooting a machine that is encrypted it will sit at encryption login screen waiting for a password.

So...

Within policies i created a new one making it available as a button in self service.

I added the command "sudo shutdown -r now" in files and processes
I also added restart options and ticked the box to bypass encryption upon reboot.

The mac reboots when clicking the button but does not bypass encryption.

So my guess would be that restart options are only triggered when installing packages, perhaps it works with scripts? maybe i should try that above command as a script instead of adding it to files and processes?

Any other ideas out there?

9 REPLIES 9

CJeffery
New Contributor

Ok so restart options does seem to be semi working.

If i set the restart option in those boxes from immediately to restart and 5 min that applies but the tick box to allow bypass of encrypted login doesn't.

dpertschi
Valued Contributor

The Restart Option checkbox 'Perform authenticated restart...' only works if the logged in user is an authorized FV user.

It will by-pass the FV pre-boot dialog and drop you at the OS login window.

cdev
Contributor III

Your only other option if you are unable to use the "Perform authenticated restart" option would be to script it and hard-code the credentials for the machine. From terminal/script you would run [sudo] "fdesetup authrestart" which then prompts for the password for an authenticated user

CJeffery
New Contributor

Thanks for the responses.

dpertschi - The user i am logged in as is a FileVault user. Not working for me though, also tried doing the command as a script hoping that would allow that tick box to trigger.

cdev - I have seen the script to do that but would mean i need to set it up for each of the encrypted machines we have in order for it to work.

Thanks.

CJeffery
New Contributor

cdev - fdesetup authrestart if ran in terminal asks for a password and reboots bypassing encryption, Brilliant.

However if i add the script to self service it isn't working as i guess it's waiting for a password in the background which we can't see.

Is there a way i can run a script within selfservice but it opens a dialog box asking for the password?

mm2270
Legendary Contributor III

For running that via Self Service, I suspect you will need to invoke either an Applescript dialog (or 3rd party tool like cocoaDialog) and ask the user for their password, then pass that to an expect style script. I don't think the fdesetup authrestart command will take stdin input to pass to the command that I'm aware of.
Do some searches here for examples on how to create and use an expect script. There are at least a few threads that discuss this. You may have luck with that.

cdev
Contributor III

There's a couple of options here:

  1. Use expect statements in a shell script to look for those password prompts and then have it automatically enter the password in the background. The issue here is the password is hard-coded in the script/policy...

  2. Use a tool like CocoaDialog/Pashua/AppleScript to generate the password prompt as a dialogue box, then return this value as a variable to enter into the script using a similar expect statement. Much more adaptable for the future as the passwords can change/rotate without impacting the script. Challenges – properly escaping special characters in the password.

I would still suggest that the best practice is to use Casper's FV2 Authenticated Restart option – this does require that the casper management account is authorized for FileVault so that it can do the authenticated reboot tho.

CJeffery
New Contributor

Thanks guys,

They sound a little beyond my level at present.

Your right Casper's FV2 Authenticaed Restart Option is my preferd option but i couldn't get it working.

How would you implement that within a policy? Still using the files and processes to execute a normal reboot command? or perhaps instead of "sudo shutdown -r" I could try "sudo fdesetup restart" combined with the restart options.

the user is authorized to unlock the machine. They are essentially AD Users with mobile accounts, so i have allowed that user to unlock.

mm2270
Legendary Contributor III

@CJeffery I was able to put the following script together, which uses cocoaDialog to ask for the logged in user's password. It assumes they are the FV2 authed user. I was able to test and use this successfully on a 10.11.6 Mac with a local account enabled for FV2. I haven't tested on other OSes like Sierra or older macOS versions, but I expect it should work on at least 10.10.x if not on the current Sierra release.

I even put something in it to recognize when there is an error, meaning the password the user entered wasn't accepted by fdesetup.

#!/bin/bash

## Customize this path to the cocoaDialog executable
cdPath="/Library/Application Support/JAMF/bin/cocoaDialog.app/Contents/MacOS/cocoaDialog"

## Determines location to the FileVault logo to use in the dialog (should work on most recent versions of OS X/macOS)
FV2Icon="$(ls /System/Library/CoreServices/loginwindow.app/Contents/Resources/FileVault_logo.*)"

## Function to run when it detects an error (meaning the wrong password was entered)
function runOnErr ()
{

## Pause 2 seconds in case the restart is just delayed
sleep 2

reAttempt=$("$cdPath" 
    msgbox 
    --title "Authenticated Restart - Error" 
    --text "There was a problem doing the restart" 
    --informative-text "The password you entered was not accepted. Do you want to try again?" 
    --button1 "Try Again" 
    --button2 "Cancel" 
    --posY top 
    --icon info)

if [ "$reAttempt" == "1" ]; then
    askForPassword
elif [ "$reAttempt" == "2" ]; then
    echo "User canceled or exited the dialog"
    exit 0
fi

}

## Function to run once a password is captured to attempt the authrestart
function authRestart ()
{

## The following expect HEREDOC will interact with the fdesetup prompt to enter the user's password from the askForPassword function
## If entered correctly, the Mac will reboot and use fdesetup authrestart

/usr/bin/expect <<EOD
spawn fdesetup authrestart
expect "Enter a password for '/', or the recovery key:"
send "${userPass}
"
expect eof
EOD

## At this point, if the password entered was correct, the Mac auto reboots

## Wait one second
sleep 1

## Run this function if possible, which would only be in case of incorrect password entered
runOnErr

}

## First function to run to capture the user password with a cocoaDialog secure input window
function askForPassword ()
{

userPass=$("$cdPath" 
    secure-inputbox 
    --title "Authenticated Restart" 
    --label "Enter your account password" 
    --text "" 
    --button1 "Enter" 
    --button2 "Cancel" 
    --posY top 
    --value-required 
    --empty-text "You must enter a password before clicking Enter" 
    --icon-file "$FV2Icon" 
    --quiet)

if [ ! -z "$userPass" ]; then
    authRestart
else
    echo "User canceled or exited the dialog"
    exit 0
fi

}

## Start with asking for the user's password
askForPassword

You can give this a try and see if it works for you. All that said, IF you are using the Jamf Pro management user enabled for FV2 as well, the better option is to use the authenticated restart option in a policy (under "Restart Options") provided by Jamf, since it doesn't involve prompting for and capturing passwords, and relying on fragile expect script statements.