Script to sync Filevault 2 and Active directory passwords

al786
New Contributor III

Im hoping to make a Self Service script with OSAscript callouts/dialogs to make it easier for users to sync their FV2 and AD passwords. the script successfully passes the value of the "shortname" to the first command but the add command has 2-3 pop-ups and when run thru self service nothing happens.

#!/bin/sh

!/bin/bash

USERNAME=osascript -e 'set T to text returned of (display dialog " Enter shortname of User to Sync FV2" buttons {"Cancel", "OK"} default button "OK" default answer "")'

fdesetup remove -user $USERNAME

sleep 5

fdesetup add -usertoadd $USERNAME

6 REPLIES 6

boberito
Valued Contributor

https://github.com/boberito/jamfscripts/blob/master/FV%20-%20FileVaultFix.sh

This should do the trick. You need the expect command to pass some info through to fdesetup.

#!/bin/sh

###################################################################
#: Date Created  : (October 25th, 2018)
#: Author        : Bob Gendler
#
#Add the user and the password as paramters in the script in jamf
#This must be an already FileVault enabled account
#
###################################################################

adminuser="${4}"
adminpass="${5}"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
userpassword=$(osascript -e 'display dialog "Please enter a your login password." default answer "" with icon stop buttons {"Cancel", "Continue"} default button "Continue" with hidden answer' | awk -F ':' '{print $3}')

if ! fdesetup list | grep "${adminuser}"; then 
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "User not found" -description "The ${adminuser} account is not FileVault enabled. That account must be enabled before continuing." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/Problem Reporter.app/Contents/Resources/ProblemReporter.icns
    exit 0
fi

fdesetup remove -user "${loggedInUser}"

if [ "$?" != "0" ]; then
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "An Error Occured" -description "An error occured with your account and FileVault. Please contact your Tech Support." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/Problem Reporter.app/Contents/Resources/ProblemReporter.icns
    echo "User not removed successfully from FileVault"
    exit 1
else
    echo "User successfully removed from FileVault"
fi

echo "${loggedInUser}" "${adminuser}" "${adminpass}" "${userpassword}"
echo "log_user 1" > /var/tmp/expectfile
echo 'spawn fdesetup add -usertoadd [lindex $argv 0] -user [lindex $argv 1]' >> /var/tmp/expectfile
echo 'expect ":"' >> /var/tmp/expectfile
echo 'send "[lindex $argv 2]\r"' >> /var/tmp/expectfile
echo 'expect ":"' >> /var/tmp/expectfile
echo 'send "[lindex $argv 3]\r"' >> /var/tmp/expectfile
echo 'interact' >> /var/tmp/expectfile

expect -f /var/tmp/expectfileexpectfile "${loggedInUser}" "${adminuser}" "${adminpass}" "${userpassword}"

rm /var/tmp/expectfileexpectfile

if fdesetup list | grep "${loggedInUser}"; then
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "FileVault User Added" -description "${loggedInUser} was successfully re-added to Filevault with the new password." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns
else
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "An Error Occured" -description "An error occured with your account and FileVault. Please contact your Tech Support." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/Problem Reporter.app/Contents/Resources/ProblemReporter.icns
fi

al786
New Contributor III

So I do this as the user I need to update the password for, correct? For values 4 and 5 I put in the local admin credentials we have on every machine. I then log into the user and run this from self service?

boberito
Valued Contributor

correct.

You could pass 4 and 5 in the script parameters in jamf.

rblaas
Contributor II

I am curious,

Is no one worried about the admin credentials being echoed ? (clear text in JAMF) How come this is no issue?

I would never want the admin password to be available in clear text.

dsavageED
Contributor III

Maybe consider encrypting the script parameters... https://github.com/jamfit/Encrypted-Script-Parameters

boberito
Valued Contributor

It is an issue...but until jamf provides a good solution you can only do so much.

You could pass it as 1 base64 encrypted string divided by a colon or some other character(below). You could just build the username/password into the script. You could use the encrypting script.

adminuser=$(echo "$4" | openssl base64 -d | cut -d ":" -f1)
adminpass=$(echo "$4" | openssl base64 -d | cut -d ":" -f2)