Setting up FileVault -> Confused

oddity-mdm
New Contributor III

Hello,

I want to automate the process of FileVault -> activation with the local admin account -> adding the user

While searching for ideas here at Jamf Nation I got pretty confused. Most threads are for example about generating a private key and sound very complicated.

Can I not just activate FileVault in configuration profiles and add somehow the user to it? Is the private key important / a good solution? What is the best solution to activate FileVault, add an user and check in sequences if it is activated?

Thank you in advance!

Best regards
Maurice

7 REPLIES 7

kerouak
Valued Contributor

Here you go...
Works great for us. User just has to put in their own password and boom!

>>

1

!/bin/sh

2

This script is intended to be used with JAMF Self Service. It will enable SecureToken for the currently logged in user account

3

and either add it to the list of to FileVault enabled users or enable FileVault using a Personal Recovery Key.

4

5

Your policy must include script parameters for a SecureToken enabled administrator username and password. For more information

6

on using script parameters, please see https://www.jamf.com/jamf-nation/articles/146/script-parameters.

7

8

v1.2 - added debugging trace messages to confirm progress of script and confirm variables are being correctly passed - by Amos Deane - 13 Sep 2018

9

v1.3 - corrected userName1

10

11

adminUser="$4"

12

adminPassword="$5"

13

userName1="$3"

14

userName2="$6"

15

16

Uses AppleScript to prompt the currently logged in user for their account password.

17

userPassword1=$(/usr/bin/osascript <<EOT

18

tell application "System Events"

19

activate

20

display dialog "Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer

21

if button returned of result is "Continue" then

22

set pwd to text returned of result

23

return pwd

24

end if

25

end tell

26

EOT)

27

28

29

function separationLine {

30

echo "----------------------------------------------------------------------------------"

31

}

32

33

34

Enables SecureToken for the currently logged in user account.

35

enableSecureToken() {

36

separationLine

37

echo "Enables SecureToken for the currently logged in user account $userName1"

38

sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1

39

}

40

41

Creates a PLIST containing the necessary administrator and user credentials.

42

createPlist() {

Download
Delete Enable_secure_token_for_current_user?

This action is permanent and cannot be undone.
Text Editor Commands
Mac
Windows/Linux
Search
⌘F
CtrlF
Find Next
⌘G
CtrlG
Find Previous
⇧⌘G
ShiftCtrlG
Go to Line Start
⌘←
Alt←
Go to Line End
⌘→
Alt→
Go to Document Start
⌘↑
CtrlHome
Go to Document End
⌘↓
CtrlEnd
Select All
⌘A
CtrlA
>>

kerouak
Valued Contributor

sorry for the formatting

oddity-mdm
New Contributor III

Thank you for the answer! I was not able to try it yet but will make an update after I did.

gachowski
Valued Contributor II

You should also be able to use the built in Jamf Pro policy and set it next log in, the user can't by pass the Filevault enable screen. I think that if it's set to log out the user can always cancel it over and over never enabling the encryption.

Also you should consider creating single key profile that prevent the user from turning off FileVault or they could just turn if off and then the individual key saved in jamf pro is worthless.

here is the non-Apple employee public expert :

https://derflounder.wordpress.com/?s=FileVault

I would recommend that you spend some time and read most of his post from oldest to newest ... it's the best way to sort of understand how FileVault works

C

kerouak
Valued Contributor

@gachowski You will still need to enter a secure token admin even if you do that...

gachowski
Valued Contributor II

@kerouak

Yep I missed that he was creating an unnecessary and soon to be Apple deprecated local admin account. : )

C

maheshveldandi
New Contributor III
New Contributor III

Find the below script for Enable File-Vault-2 on Current User.

!/bin/sh

Pass the credentials for an admin account that is authorized with FileVault 2

adminName=Enter Username
adminPass= Enter Password

if [ "${adminName}" == "" ]; then
echo "Username undefined. Please pass the management account username in parameter 4"
exit 1
fi

if [ "${adminPass}" == "" ]; then
echo "Password undefined. Please pass the management account password in parameter 5"
exit 2
fi

Get the logged in user's name

userName=stat -f%Su /dev/console

This first user check sees if the logged in account is already authorized with FileVault 2

userCheck=$(sudo fdesetup list | grep -F $userName)
if [ "$userCheck" != "" ]; then
echo "This user is already added to the FileVault 2 list."
exit 3
fi

Check to see if the encryption process is complete

encryptCheck=fdesetup status
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed, unable to add user at this time."
echo "${encryptCheck}"
exit 4
fi

Get the logged in user's password via a prompt

echo "Prompting ${userName} for their login password."

USERPASS=$(osascript -e '
tell application "Finder" display dialog "Enter your password please to enable FileVault" default answer "" with hidden answer set USERPASS to the (text returned of the result)
end tell')

echo "Adding user to FileVault 2 list."

create the plist file:

echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminName'</string>
<key>Password</key>
<string>'$adminPass'</string> <key>AdditionalUsers</key>
<array> <dict> <key>Username</key> <string>'$userName'</string> <key>Password</key> <string>'$USERPASS'</string> </dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist

now enable FileVault

fdesetup add -inputplist < /tmp/fvenable.plist

This second user check sees if the logged in account was successfully added to the FileVault 2 list

userCheck=fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'
if [ "${userCheck}" != "${userName}" ]; then
echo "Failed to add user to FileVault 2 list."
exit 5
fi

echo "${userName} has been added to the FileVault 2 list."

clean up

if [[ -e /tmp/fvenable.plist ]]; then srm /tmp/fvenable.plist
fi
exit 0