Smart Group for missing Filevault2 Keys

Raffael
New Contributor II

Hi Jamf Community,

 

i have been trying to setup a search for all devices that dont have a personal recovery key set . Unfortunately there is no such option. Then i thought i could just check if the Filevault Encryption is "Valid". This would be great but, some of the devices in my jamf network dont have a recovery key set, but are encrytped. I was trying to figure out how to search for all of these devices so i could issue a new key for them. Is there any way to do this ? 

Thanks ahead,

Raffael

3 REPLIES 3

mickl089
Contributor III

Don´t know if it works anymore, but you have to setup an extension attribute:

Check the status of the encryption:


#!/bin/bash

CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"

osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')

# Checks to see if the OS on the Mac is 10.x.x. If it is not, the 
# following message is displayed without quotes:
#
# "Unknown Version Of Mac OS X"

if [[ ${osvers_major} -ne 10 ]]; then
  echo "<result>Unknown Version Of Mac OS X</result>"
fi

# Checks to see if the OS on the Mac is 10.7 or higher.
# If it is not, the following message is displayed without quotes:
#
# "FileVault 2 Encryption Not Available For This Version Of Mac OS X"

if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 7 ]]; then
  echo "<result>FileVault 2 Encryption Not Available For This Version Of Mac OS X</result>"
fi

if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 7 ]] && [[ ${osvers_minor} -lt 13 ]]; then
  diskutil cs info / >> $CORESTORAGESTATUS 2>&1

    # If the Mac is running 10.7 through 10.12, but the boot volume
    # is not a CoreStorage volume, the following message is 
    # displayed without quotes:
    #
    # "FileVault 2 Encryption Not Enabled"

    if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
       echo "<result>FileVault 2 Encryption Not Enabled</result>"
       rm -f "$CORESTORAGESTATUS"
       exit 0
    fi

    # If the Mac is running 10.7 through 10.12 and the boot volume
    # is a CoreStorage volume, the script then checks to see if 
    # the machine is encrypted, encrypting, or decrypting.
    # 
    # If encrypted, the following message is 
    # displayed without quotes:
    # "FileVault 2 Encryption Complete"
    #
    # If encrypting, the following message is 
    # displayed without quotes:
    # "FileVault 2 Encryption Proceeding."
    # How much has been encrypted of of the total
    # amount of space is also displayed. If the
    # amount of encryption is for some reason not
    # known, the following message is 
    # displayed without quotes:
    # "FileVault 2 Encryption Status Unknown. Please check."
    #
    # If decrypting, the following message is 
    # displayed without quotes:
    # "FileVault 2 Decryption Proceeding"
    # How much has been decrypted of of the total
    # amount of space is also displayed
    #
    # If fully decrypted, the following message is 
    # displayed without quotes:
    # "FileVault 2 Decryption Complete"
    #

    # Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
    # for the boot drive's CoreStorage volume.

    LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`

    # Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
    # for the boot drive's CoreStorage volume.

    LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`

    CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 || ${osvers_minor} -eq 8 ]]; then
        CONVERTED=`diskutil cs list $LV_UUID | awk '/Size \(Converted\)/ {print $5,$6;exit}'`
    fi

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 9 ]]; then
        CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`    
    fi

    ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
    ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
    SIZE=`diskutil cs list $LV_UUID | awk '/Size \(Total\)/ {print $5,$6;exit}'`

    # This section does 10.7-specific checking of the Mac's
    # FileVault 2 status

   if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 ]]; then
      if [ "$CONTEXT" = "Present" ]; then
        if [ "$ENCRYPTION" = "AES-XTS" ]; then
          diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $3;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then 
              echo "<result>FileVault 2 Encryption Complete</result>"
            else
              if  grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
                diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
                  if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
                    echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                  else
                    echo "<result>FileVault 2 Encryption Status Unknown. Please check.</result>"
                  fi
               fi
             fi
        else
            if [ "$ENCRYPTION" = "None" ]; then
              diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
                if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
                  echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
                  echo "<result>FileVault 2 Decryption Completed</result>"
                fi
            fi 
        fi
      fi  
    fi
   fi



    # This section does checking of the Mac's FileVault 2 status
    # on 10.8.x through 10.10.x

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 8 ]] && [[ ${osvers_minor} -lt 11 ]]; then
      if [[ "$ENCRYPTIONEXTENTS" = "No" ]]; then
              echo "<result>FileVault 2 Encryption Not Enabled</result>"
      elif [[ "$ENCRYPTIONEXTENTS" = "Yes" ]]; then
          diskutil cs list $LV_FAMILY_UUID | awk '/Fully Secure/ {print $3;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then 
              echo "<result>FileVault 2 Encryption Complete</result>"
            else
              if  grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
                diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
                  if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
                    echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                  else
                  if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
                        echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                          elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
                            echo "<result>FileVault 2 Decryption Completed</result>"
                    fi
                  fi
              fi
            fi  
      fi
    fi

    # This section does checking of the Mac's FileVault 2 status
    # on 10.11.x through 10.12.x

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]] && [[ ${osvers_minor} -lt 13 ]]; then
      if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
          echo "<result>FileVault 2 Encryption Not Enabled</result>"
      elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
          echo "<result>FileVault 2 Decryption Completed</result>"
      elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
          diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then 
              echo "<result>FileVault 2 Encryption Complete</result>"
            else
              if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
                if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then 
                  diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
                    if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
                      echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                    elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
                      echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                    fi
                elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
                  if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
                      echo "<result>FileVault 2 Decryption Completed</result>"
                  fi
                fi
              fi
      fi  
    fi

fi

if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then

# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+

boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type \(Bundle\)/ {print $3}')

# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.

    if [[ "$boot_filesystem_check" = "apfs" ]]; then

    # If encrypted, the following message is 
    # displayed without quotes:
    # "FileVault is On."
    #
    # If encrypting, the following message is 
    # displayed without quotes:
    # "Encryption in progress:"
    # How much has been encrypted of of the total
    # amount of space is also displayed.
    #
    # If decrypting, the following message is 
    # displayed without quotes:
    # "Decryption in progress:"
    # How much has been decrypted of of the total
    # amount of space is also displayed
    #
    # If not encrypted, the following message is 
    # displayed without quotes:
    # "FileVault is Off."

    ENCRYPTSTATUS=$(fdesetup status | xargs)
        if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
            ENCRYPTSTATUS=$(fdesetup status | head -1)
            echo "<result>$ENCRYPTSTATUS</result>"
        else
            ENCRYPTSTATUS=$(fdesetup status | tail -1)
            echo "<result>$ENCRYPTSTATUS</result>"
        fi
    fi

    if [[ "$boot_filesystem_check" = "hfs" ]]; then
    diskutil cs info / >> $CORESTORAGESTATUS 2>&1
        if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
            echo "<result>FileVault 2 Encryption Not Enabled</result>"
            rm -f "$CORESTORAGESTATUS"
            exit 0
        fi
        # If the Mac is running 10.7 or higher and the boot volume
        # is a CoreStorage volume, the script then checks to see if 
        # the machine is encrypted, encrypting, or decrypting.
        # 
        # If encrypted, the following message is 
        # displayed without quotes:
        # "FileVault 2 Encryption Complete"
        #
        # If encrypting, the following message is 
        # displayed without quotes:
        # "FileVault 2 Encryption Proceeding."
        # How much has been encrypted of of the total
        # amount of space is also displayed. If the
        # amount of encryption is for some reason not
        # known, the following message is 
        # displayed without quotes:
        # "FileVault 2 Encryption Status Unknown. Please check."
        #
        # If decrypting, the following message is 
        # displayed without quotes:
        # "FileVault 2 Decryption Proceeding"
        # How much has been decrypted of of the total
        # amount of space is also displayed
        #
        #    If fully decrypted, the following message is 
        # displayed without quotes:
        # "FileVault 2 Decryption Complete"
        #

        # Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
        # for the boot drive's CoreStorage volume.

        LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`

        # Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
        # for the boot drive's CoreStorage volume.

        LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`

        CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`

        CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`

        ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
        ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
        SIZE=`diskutil cs list $LV_UUID | awk '/Size \(Total\)/ {print $5,$6;exit}'`

    # This section does checking of the Mac's FileVault 2 status if the boot drive is formatted with HFS+

        if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
            echo "<result>FileVault 2 Encryption Not Enabled</result>"
        elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
            echo "<result>FileVault 2 Decryption Completed</result>"
        elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
            diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then 
                echo "<result>FileVault 2 Encryption Complete</result>"
            else
                if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
                    if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then 
                    diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
                        if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
                            echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                        elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
                            echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                        fi
                    elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
                        if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
                            echo "<result>FileVault 2 Decryption Completed</result>"
                        fi
                    fi
                fi
            fi  
        else
            echo "<result>Unknown filesystem.</result>"
        fi
    fi
fi

# Remove the temp files created during the script

if [ -f "$CORESTORAGESTATUS" ]; then
   rm -f "$CORESTORAGESTATUS"
fi

if [ -f "$ENCRYPTSTATUS" ]; then
   rm -f "$ENCRYPTSTATUS"
fi

if [ -f "$ENCRYPTDIRECTION" ]; then
   rm -f "$ENCRYPTDIRECTION"
fi

exit 0

Then create a smart group like this:

SCR-20230525-neru.png

 

just modify  the settings in the smart group like you want.

Raffael
New Contributor II

Hey mickl089,

thanks for your quick reply. I have seen this post myself, but 1. i cant confirm if its outdated and 2. This dosent check if a key present. As i already said some of my users have an invalid or unknown Filevault 2 Setup but still have a key, or even the other way round. They have no Key but the Disk is Encrypted. I guess it will boil down to manually searching for them. 

 

Thanks,

Raffael

steve_summers
Contributor III

@Raffael , I've attached an image of the smart group I use to find keys in my Org which are not valid. I can verify it works.  If you set it up like this, mind the parentheses.  I exclude Mac minis in our environment because they're desktops.  So, if you have iMacs or other desktops, you may want to exclude those.  Up to you.  Hope it helps. fvSmartGroup.png