Sharing is caring - Self Service Script for tech - Reset FileVault 2 user password.

Hi There,

In the mind of sharing is caring see below;
In case that a user has changed his password (via NoMAD or sys prefs) that has been synced to your AD environment but the FileVault 2 Disk Encryption password has not changed you can use the script below.
or they simple dont know their password anymore after a good vacation.

In our situation when someone is unable to login with their own password we log in with or support account, log out to login windows with username / password field and then log in with their New / AD password, when logged in the tech launches self service and is loggin in with his tech credentials where the script is available, depends on your organisations needs.

The script below is designed for your helpdesk technicians and you can scope it to them so they can call it in via Self Service.
This also contains GUI pop-ups.

1#!/bin/sh
2
3# Loop until valid input is entered or Cancel is pressed.
4while :; do
5    userName=$(osascript -e 'Tell application "System Events" to display dialog "Hi, 
6
7Ensure that you have set a new password for the user via Active Directory.
8
9Please now insert the username of the user" default answer "" with title "Requesting Username" with text buttons {"Submit"} with icon caution' -e 'text returned of result' 2>/dev/null)
10
11    if (( $? ));
12        then exit 1; fi  # Abort, if technician pressed Cancel.
13
14        userName=$(echo "$userName" | sed 's/^ *//' | sed 's/ *$//')  # Trim leading and trailing whitespace.
15
16    if [[ -z "$userName" ]]; then
17
18        # The technician left the username blank
19        osascript -e 'Tell application "System Events" to display alert "You must enter the username. Please try again" as warning' >/dev/null
20
21        # Continue loop to prompt again.
22
23        else
24            # Valid input: exit loop and continue.
25            break
26    fi
27done
28
29# Remove user from FileVault 2.
30fdesetup remove -user "$userName"
31echo "User has been removed from FileVault 2"
32
33sleep 05
34
35
36# Pass the credentials for the management account that is authorized with FileVault 2
37adminName='PUT IN HERE YOUR SUPPORT ACCOUNT'
38adminPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter the password for SUPPORT ACCOUNT" default answer "" with title "Get admin privilliges" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
39
40# Check if the logged on user is already authorized with FileVault 2
41userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
42if [ "${userCheck}" == "${userName}" ]; then
43echo "This user is already added to the FileVault 2 list."
44osascript -e 'tell app "System Events" to display dialog "This user is already added to the FileVault 2 list." with title "Not able to add user" buttons {"Quit"}'
45exit 1
46fi
47
48# Check to see if the encryption process is complete
49encryptCheck=`fdesetup status`
50statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
51expectedStatus="FileVault is On."
52if [ "${statusCheck}" != "${expectedStatus}" ]; then
53echo "The encryption process has not completed, unable to add user at this time."
54echo "${encryptCheck}"
55osascript -e 'tell app "System Events" to display dialog "The encryption process has not completed, unable to add user at this time." with title "Disk is not encrypted" buttons {"Quit"}'
56exit 2
57fi
58
59# Get the logged in user's password via prompt
60echo "Prompting ${userName} for his/her login password."
61userPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter the password for user '${userName}':" default answer "" with title "Enable user '${userName}' for FileVault 2" with text buttons {"Submit"} default button 1 with hidden answer' -e 'text returned of result')"
62
63echo "Adding user to FileVault 2 list."
64
65# Create the plist file:
66echo '<?xml version="1.0" encoding="UTF-8"?>
67<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
68<plist version="1.0">
69<dict>
70<key>Username</key>
71<string>'$adminName'</string>
72<key>Password</key>
73<string>'$adminPass'</string>
74<key>AdditionalUsers</key>
75<array>
76    <dict>
77        <key>Username</key>
78        <string>'$userName'</string>
79        <key>Password</key>
80        <string>'$userPass'</string>
81    </dict>
82</array>
83</dict>
84</plist>' > /tmp/fvenable.plist
85
86# Enable FileVault 2 for the logged on user
87fdesetup add -inputplist < /tmp/fvenable.plist
88
89# Check if the user is successfully added to the FileVault 2 list
90userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
91if [ "${userCheck}" != "${userName}" ]; then
92echo "Failed to add user to FileVault 2 list."
93osascript -e 'tell app "System Events" to display dialog "Failed to add user '${userName}' to FileVault 2 list." with title "Filevault 2 Failed" buttons {"Quit"}'
94exit 3
95fi
96
97echo "${userName} has been added to the FileVault 2 list."
98osascript -e 'tell app "System Events" to display dialog "'${userName}' has been added to the FileVault 2 list. Reboot required" with title "Well done, Bro.." buttons {"Hooray"}'
99
100# Clean up
101if [[ -e /tmp/fvenable.plist ]]; then
102    srm /tmp/fvenable.plist
103fi
104exit 0
105
106# Updating APFS preboot volume to enable all FV2 users to login
107diskutil apfs updatepreboot /
108
109# Restarting macOS
110osascript -e 'tell app "loginwindow" to «event aevtrrst»'
111
112exit 0

Get your fruit out of it.

Cheers,
Thijs.