Posted on 11-27-2018 01:44 PM
Im hoping to make a Self Service script with OSAscript callouts/dialogs to make it easier for users to sync their FV2 and AD passwords. the script successfully passes the value of the "shortname" to the first command but the add command has 2-3 pop-ups and when run thru self service nothing happens.
#!/bin/sh
USERNAME=osascript -e 'set T to text returned of (display dialog " Enter shortname of User to Sync FV2" buttons {"Cancel", "OK"} default button "OK" default answer "")'
fdesetup remove -user $USERNAME
sleep 5
fdesetup add -usertoadd $USERNAME
Posted on 11-27-2018 01:49 PM
https://github.com/boberito/jamfscripts/blob/master/FV%20-%20FileVaultFix.sh
This should do the trick. You need the expect command to pass some info through to fdesetup.
#!/bin/sh
###################################################################
#: Date Created : (October 25th, 2018)
#: Author : Bob Gendler
#
#Add the user and the password as paramters in the script in jamf
#This must be an already FileVault enabled account
#
###################################################################
adminuser="${4}"
adminpass="${5}"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
userpassword=$(osascript -e 'display dialog "Please enter a your login password." default answer "" with icon stop buttons {"Cancel", "Continue"} default button "Continue" with hidden answer' | awk -F ':' '{print $3}')
if ! fdesetup list | grep "${adminuser}"; then
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "User not found" -description "The ${adminuser} account is not FileVault enabled. That account must be enabled before continuing." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/Problem Reporter.app/Contents/Resources/ProblemReporter.icns
exit 0
fi
fdesetup remove -user "${loggedInUser}"
if [ "$?" != "0" ]; then
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "An Error Occured" -description "An error occured with your account and FileVault. Please contact your Tech Support." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/Problem Reporter.app/Contents/Resources/ProblemReporter.icns
echo "User not removed successfully from FileVault"
exit 1
else
echo "User successfully removed from FileVault"
fi
echo "${loggedInUser}" "${adminuser}" "${adminpass}" "${userpassword}"
echo "log_user 1" > /var/tmp/expectfile
echo 'spawn fdesetup add -usertoadd [lindex $argv 0] -user [lindex $argv 1]' >> /var/tmp/expectfile
echo 'expect ":"' >> /var/tmp/expectfile
echo 'send "[lindex $argv 2]\r"' >> /var/tmp/expectfile
echo 'expect ":"' >> /var/tmp/expectfile
echo 'send "[lindex $argv 3]\r"' >> /var/tmp/expectfile
echo 'interact' >> /var/tmp/expectfile
expect -f /var/tmp/expectfileexpectfile "${loggedInUser}" "${adminuser}" "${adminpass}" "${userpassword}"
rm /var/tmp/expectfileexpectfile
if fdesetup list | grep "${loggedInUser}"; then
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "FileVault User Added" -description "${loggedInUser} was successfully re-added to Filevault with the new password." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns
else
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "An Error Occured" -description "An error occured with your account and FileVault. Please contact your Tech Support." -button1 "Ok" -defaultButton 1 -icon /System/Library/CoreServices/Problem Reporter.app/Contents/Resources/ProblemReporter.icns
fi
Posted on 11-28-2018 06:28 AM
So I do this as the user I need to update the password for, correct? For values 4 and 5 I put in the local admin credentials we have on every machine. I then log into the user and run this from self service?
Posted on 11-28-2018 09:13 PM
correct.
You could pass 4 and 5 in the script parameters in jamf.
Posted on 11-28-2018 11:03 PM
I am curious,
Is no one worried about the admin credentials being echoed ? (clear text in JAMF) How come this is no issue?
I would never want the admin password to be available in clear text.
Posted on 11-29-2018 02:46 AM
Maybe consider encrypting the script parameters... https://github.com/jamfit/Encrypted-Script-Parameters
Posted on 11-29-2018 09:25 AM
It is an issue...but until jamf provides a good solution you can only do so much.
You could pass it as 1 base64 encrypted string divided by a colon or some other character(below). You could just build the username/password into the script. You could use the encrypting script.
adminuser=$(echo "$4" | openssl base64 -d | cut -d ":" -f1)
adminpass=$(echo "$4" | openssl base64 -d | cut -d ":" -f2)