Hello,
We are using FileVault2 on all our clients. During the onboarding-process we create a local service account, which is also enabled for FileVault of course. When a new user logs in for the first time with his ActiveDirectory credentials, the account will be created locally on the Mac (Mobile Account).
Our problem: After that, the user has to be enabled for FileVault manually, which causes a lot of unnecessary workload.
I tried to auomate this with a script:
#!/bin/sh
#############################################################################################################
# This script will add a new logged-in user to the FileVault enabled list, using the JSS. #
# #
# by Marco Kolbas | Greentube I.E.S. GmbH | mkolbas@greentube.com #
# #
# Vers. 1.0 // July 2017 #
# #
#############################################################################################################
#This discovers the current user
currentuser=`stat -f%Su /dev/console`
read -r -d '' password <<'EOF'
set dialogText to text returned of (display dialog "Please enter your password to enable the FileVault Disk Encryption for your user. ATTENTION! If you cancle this process, you won't be able to boot this client!" default answer "" with hidden answer)
return dialogText
EOF
status=$(sudo fdesetup list | grep -F $currentuser)
if [ "$status" != "" ]
then
echo "Nothing to do. User already enabled for FileVault."
else
password=$(sudo -u $currentuser /usr/bin/osascript -e "$password");
printf '%s
' $4 $password | sudo fdesetup add -usertoadd $currentuser
echo "User $currentuser has been activated for FileVault Disk Encryption."
fi
exit 0
The idea was to run this script "Once per user per computer". The problem is, the script is executed by root, and I always got the error message "No User interaction allowed". If I modify the script to run the command as currentuser, I get the error message "Needs to be run as root"....
I would be really happy about any kind of input to this problem!
Thanks!