- Jamf Nation Community
- Products
- Jamf Pro
- Setting up FileVault -> Confused
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Setting up FileVault -> Confused
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-20-2018 02:35 AM
Hello,
I want to automate the process of FileVault -> activation with the local admin account -> adding the user
While searching for ideas here at Jamf Nation I got pretty confused. Most threads are for example about generating a private key and sound very complicated.
Can I not just activate FileVault in configuration profiles and add somehow the user to it? Is the private key important / a good solution? What is the best solution to activate FileVault, add an user and check in sequences if it is activated?
Thank you in advance!
Best regards
Maurice
Labels:
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 03:34 AM
Here you go...
Works great for us. User just has to put in their own password and boom!
>>
1
!/bin/sh
2
This script is intended to be used with JAMF Self Service. It will enable SecureToken for the currently logged in user account
3
and either add it to the list of to FileVault enabled users or enable FileVault using a Personal Recovery Key.
4
5
Your policy must include script parameters for a SecureToken enabled administrator username and password. For more information
6
on using script parameters, please see https://www.jamf.com/jamf-nation/articles/146/script-parameters.
7
8
v1.2 - added debugging trace messages to confirm progress of script and confirm variables are being correctly passed - by Amos Deane - 13 Sep 2018
9
v1.3 - corrected userName1
10
11
adminUser="$4"
12
adminPassword="$5"
13
userName1="$3"
14
userName2="$6"
15
16
Uses AppleScript to prompt the currently logged in user for their account password.
17
userPassword1=$(/usr/bin/osascript <<EOT
18
tell application "System Events"
19
activate
20
display dialog "Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer
21
if button returned of result is "Continue" then
22
set pwd to text returned of result
23
return pwd
24
end if
25
end tell
26
EOT)
27
28
29
function separationLine {
30
echo "----------------------------------------------------------------------------------"
31
}
32
33
34
Enables SecureToken for the currently logged in user account.
35
enableSecureToken() {
36
separationLine
37
echo "Enables SecureToken for the currently logged in user account $userName1"
38
sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
39
}
40
41
Creates a PLIST containing the necessary administrator and user credentials.
42
createPlist() {
Download
Delete Enable_secure_token_for_current_user?
This action is permanent and cannot be undone.
Text Editor Commands
Mac
Windows/Linux
Search
⌘F
CtrlF
Find Next
⌘G
CtrlG
Find Previous
⇧⌘G
ShiftCtrlG
Go to Line Start
⌘←
Alt←
Go to Line End
⌘→
Alt→
Go to Document Start
⌘↑
CtrlHome
Go to Document End
⌘↓
CtrlEnd
Select All
⌘A
CtrlA
>>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 03:34 AM
sorry for the formatting
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-25-2018 03:07 AM
Thank you for the answer! I was not able to try it yet but will make an update after I did.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-25-2018 05:30 PM
You should also be able to use the built in Jamf Pro policy and set it next log in, the user can't by pass the Filevault enable screen. I think that if it's set to log out the user can always cancel it over and over never enabling the encryption.
Also you should consider creating single key profile that prevent the user from turning off FileVault or they could just turn if off and then the individual key saved in jamf pro is worthless.
here is the non-Apple employee public expert :
https://derflounder.wordpress.com/?s=FileVault
I would recommend that you spend some time and read most of his post from oldest to newest ... it's the best way to sort of understand how FileVault works
C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2018 04:09 AM
@gachowski You will still need to enter a secure token admin even if you do that...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2018 11:28 AM
Yep I missed that he was creating an unnecessary and soon to be Apple deprecated local admin account. : )
C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2018 12:45 PM
Find the below script for Enable File-Vault-2 on Current User.
!/bin/sh
Pass the credentials for an admin account that is authorized with FileVault 2
adminName=Enter Username
adminPass= Enter Password
if [ "${adminName}" == "" ]; then
echo "Username undefined. Please pass the management account username in parameter 4"
exit 1
fi
if [ "${adminPass}" == "" ]; then
echo "Password undefined. Please pass the management account password in parameter 5"
exit 2
fi
Get the logged in user's name
userName=stat -f%Su /dev/console
This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=$(sudo fdesetup list | grep -F $userName)
if [ "$userCheck" != "" ]; then
echo "This user is already added to the FileVault 2 list."
exit 3
fi
Check to see if the encryption process is complete
encryptCheck=fdesetup status
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed, unable to add user at this time."
echo "${encryptCheck}"
exit 4
fi
Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
USERPASS=$(osascript -e '
tell application "Finder"
display dialog "Enter your password please to enable FileVault" default answer "" with hidden answer
set USERPASS to the (text returned of the result)
end tell')
echo "Adding user to FileVault 2 list."
create the plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminName'</string>
<key>Password</key>
<string>'$adminPass'</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>'$userName'</string>
<key>Password</key>
<string>'$USERPASS'</string>
</dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist
now enable FileVault
fdesetup add -inputplist < /tmp/fvenable.plist
This second user check sees if the logged in account was successfully added to the FileVault 2 list
userCheck=fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'
if [ "${userCheck}" != "${userName}" ]; then
echo "Failed to add user to FileVault 2 list."
exit 5
fi
echo "${userName} has been added to the FileVault 2 list."
clean up
if [[ -e /tmp/fvenable.plist ]]; then
srm /tmp/fvenable.plist
fi
exit 0
