Report on local admin who's FV2 enabled

dpertschi
Valued Contributor

Rolling out FV, and have decided to NOT enable the local admin user as a FV authorized user.

Of course I'll want to search and report on any instance of our local admin being FV enabled. (RANT: that info is easily viewed in the Local User Accounts section, but alas, we cannot report on that info

It seemed as though I should be able to get what I want with a search for our config and "FileVault 2 User", but the results are not accurate.2afa907ddf614f94a8c34de33d1dd48f

Seriously, do I have to script this to an EA also?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Hmm, I just did a test, and I think the issue has something to do with the local account in combination with the Disk Encryption Configuration.
I say that because my Mac has a local account enabled for FV2 as well as my AD cached mobile account on it. These both show up in the Mac record under the FileVault 2 Enabled Users list. So far so good.
Yet, when I do a search using our Disk Encryption Configuration AND that user for the FileVault 2 User criteria, it pulls up no results. If I switch to my AD account for the 2nd criteria, then it gives me results.
If I remove the Disk Encryption Configuration and only leave the FileVault 2 Enabled User criteria and plop in that local account and search, then it gives my machine as the result.

Somehow its not seeing that local account as being a valid FileVault 2 User along with the Disk Encryption Configuration, even though the record details shows it as such. Maybe its because I manually added my local account in and didn't do it through the initial FV2 enablement process. I have a feeling that's the issue.

See if searching on only the local admin account name gives you the results you want.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

Hmm, I just did a test, and I think the issue has something to do with the local account in combination with the Disk Encryption Configuration.
I say that because my Mac has a local account enabled for FV2 as well as my AD cached mobile account on it. These both show up in the Mac record under the FileVault 2 Enabled Users list. So far so good.
Yet, when I do a search using our Disk Encryption Configuration AND that user for the FileVault 2 User criteria, it pulls up no results. If I switch to my AD account for the 2nd criteria, then it gives me results.
If I remove the Disk Encryption Configuration and only leave the FileVault 2 Enabled User criteria and plop in that local account and search, then it gives my machine as the result.

Somehow its not seeing that local account as being a valid FileVault 2 User along with the Disk Encryption Configuration, even though the record details shows it as such. Maybe its because I manually added my local account in and didn't do it through the initial FV2 enablement process. I have a feeling that's the issue.

See if searching on only the local admin account name gives you the results you want.

dpertschi
Valued Contributor

Bat $hit crazy. Yes, removing the encryption config criteria returned 5 records and they do each show my localadmin FV enabled. Feels dirty, but I can work with that I think.

As always, thanks Mike.

mm2270
Legendary Contributor III

@dpertschi I agree with you, it does seem "dirty" I can't think of a reason using both of those criteria would not be pulling up those Macs. Even if the Disk Encryption Configuration is not directly associated with the local FV2 enabled admin account, you aren't using the parens to tie those 2 criteria together. You're simply asking to see Macs where both of those is true. If the disk config is present AND the local user account is enabled for FV2, then it should be pulling them up in a search.
Frankly, this seems like a bug to me. Unless someone from JAMF can explain why it would work this way.

EDIT: Ah! I just ran another test. You won't believe this, but the order of those criteria makes a difference! Put the FileVault 2 Enabled User in first, THEN the Disk Encryption Configuration. When done like that, it works!

a9e2180c45ad44139b4715c67432e0b1

Beats the heck out of me why it would matter, but I can confirm it only pulls up the one Mac that has that exact local account enabled for FV2 AND has our company disk encryption config on it.

scottb
Honored Contributor

We don't use any FV(2) yet, but the FV Value in the top screen shot shows "Standard Encryption" and the lower one is "MC FV2 Mac Encryption". Since I've not even looked at this yet, would searching in the top example be looking for a FV2 setup with Standard Encryption chosen?

Sorry if this is really stupid, but I'm just curious as I've not used it and I see two different criteria shown in this thread. And yes, another example of having info in the JSS we can't create reports on...

mm2270
Legendary Contributor III

@scottb Not a stupid question, but the difference in the screenshots is the difference in how @dpertschi's Disk Encryption Configuration is named (in the JSS) versus how ours is named. I assume his is named "Standard Encryption" hence why his screenshot shows up that way. Ours is not named that way, hence the different name. I used the ellipses button to choose the config from a list. I don't know for sure, but I assume he did the same.
Hope that clears things up.

scottb
Honored Contributor

@mm2270 - cheers for that. Didn't realize that the encryption was named on the JSS seeing the eclipse...