Reissue FileVault key when current key is invalid & mgmt account IS ENABLED for FV2

stevenjklein
Contributor II

There are plenty of scripts to address this issue when the management account is not enabled for FV2.

Many of our Macs were FV2-encrypted before we got Jamf. And my predecessor made sure to enable his local admin account for FV2 on those Macs, so he could log into them locally.

Now all our Macs are enrolled in Jamf, and we have admin access to FileVault, but the FV2 recovery key isn't escrowed.

It should be possible to fix this without user interaction. If I were sitting in front of one of these Macs, I'd use:

fdesetup changerecovery -personal
sudo jamf recon

In fact, for the machines that are on my LAN, I've just connected over SSH and run those commands. (The first command prompts for a password, so the script will have to listen for the prompt and respond. And I should probably encrypt the password to prevent any users from intercepting it.)

Is there a script that already does this? Again, I'm looking for a script that does NOT require user interaction. Users hate to see things pop up on their desktops.

2 REPLIES 2

Hugonaut
Valued Contributor

@stevenjklein Jamf provides a script on github, you can tweak it and make it non-interactive if you have a management account & it is filevault enabled.

https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh

Take lines 151 to 179 & change the userName & userPass variables in the script to point to jamf parameters in a policy hosting the script that reflects your management accounts credentials (instead of prompting the user for the password) that is FV2 enabled, pass them securely & the script will then run silently in the background on end users devices. https://github.com/jamf/Encrypted-Script-Parameters

if [[ $OS -ge 9 ]] &&  [[ $OS -lt 13 ]]; then
## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
result=$(expect -c "
log_user 0
spawn fdesetup changerecovery -personal
expect "Enter a password for '/', or the recovery key:"
send {${userPass}}   
send 
log_user 1
expect eof
" >> /dev/null)
elif [[ $OS -ge 13 ]]; then
result=$(expect -c "
log_user 0
spawn fdesetup changerecovery -personal
expect "Enter the user name:"
send {${userName}}   
send 
expect "Enter a password for '/', or the recovery key:"
send {${userPass}}   
send 
log_user 1
expect eof
")
else
echo "OS version not 10.9+ or OS version unrecognized"
echo "$(/usr/bin/sw_vers -productVersion)"
exit 5
fi

also, don't forget to update the preboot volume at the end if machines are apfs

sudo diskutil apfs updatePreboot /
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

aj618
New Contributor

Thanks to OP for that fix... that was good enough to handle the few cases I had. Didn't need to deploy the fix on a massive scale.