Posted on 05-25-2023 05:45 AM
Hi Jamf Community,
i have been trying to setup a search for all devices that dont have a personal recovery key set . Unfortunately there is no such option. Then i thought i could just check if the Filevault Encryption is "Valid". This would be great but, some of the devices in my jamf network dont have a recovery key set, but are encrytped. I was trying to figure out how to search for all of these devices so i could issue a new key for them. Is there any way to do this ?
Thanks ahead,
Raffael
Posted on 05-25-2023 05:52 AM
Don´t know if it works anymore, but you have to setup an extension attribute:
Check the status of the encryption:
#!/bin/bash
CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"
osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')
# Checks to see if the OS on the Mac is 10.x.x. If it is not, the
# following message is displayed without quotes:
#
# "Unknown Version Of Mac OS X"
if [[ ${osvers_major} -ne 10 ]]; then
echo "<result>Unknown Version Of Mac OS X</result>"
fi
# Checks to see if the OS on the Mac is 10.7 or higher.
# If it is not, the following message is displayed without quotes:
#
# "FileVault 2 Encryption Not Available For This Version Of Mac OS X"
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 7 ]]; then
echo "<result>FileVault 2 Encryption Not Available For This Version Of Mac OS X</result>"
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 7 ]] && [[ ${osvers_minor} -lt 13 ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
# If the Mac is running 10.7 through 10.12, but the boot volume
# is not a CoreStorage volume, the following message is
# displayed without quotes:
#
# "FileVault 2 Encryption Not Enabled"
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 through 10.12 and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 || ${osvers_minor} -eq 8 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Size \(Converted\)/ {print $5,$6;exit}'`
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 9 ]]; then
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
fi
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size \(Total\)/ {print $5,$6;exit}'`
# This section does 10.7-specific checking of the Mac's
# FileVault 2 status
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 ]]; then
if [ "$CONTEXT" = "Present" ]; then
if [ "$ENCRYPTION" = "AES-XTS" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
echo "<result>FileVault 2 Encryption Status Unknown. Please check.</result>"
fi
fi
fi
else
if [ "$ENCRYPTION" = "None" ]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.8.x through 10.10.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 8 ]] && [[ ${osvers_minor} -lt 11 ]]; then
if [[ "$ENCRYPTIONEXTENTS" = "No" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTIONEXTENTS" = "Yes" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Fully Secure/ {print $3;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
else
if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
# This section does checking of the Mac's FileVault 2 status
# on 10.11.x through 10.12.x
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]] && [[ ${osvers_minor} -lt 13 ]]; then
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
fi
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then
# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+
boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type \(Bundle\)/ {print $3}')
# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.
if [[ "$boot_filesystem_check" = "apfs" ]]; then
# If encrypted, the following message is
# displayed without quotes:
# "FileVault is On."
#
# If encrypting, the following message is
# displayed without quotes:
# "Encryption in progress:"
# How much has been encrypted of of the total
# amount of space is also displayed.
#
# If decrypting, the following message is
# displayed without quotes:
# "Decryption in progress:"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If not encrypted, the following message is
# displayed without quotes:
# "FileVault is Off."
ENCRYPTSTATUS=$(fdesetup status | xargs)
if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
ENCRYPTSTATUS=$(fdesetup status | head -1)
echo "<result>$ENCRYPTSTATUS</result>"
else
ENCRYPTSTATUS=$(fdesetup status | tail -1)
echo "<result>$ENCRYPTSTATUS</result>"
fi
fi
if [[ "$boot_filesystem_check" = "hfs" ]]; then
diskutil cs info / >> $CORESTORAGESTATUS 2>&1
if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
rm -f "$CORESTORAGESTATUS"
exit 0
fi
# If the Mac is running 10.7 or higher and the boot volume
# is a CoreStorage volume, the script then checks to see if
# the machine is encrypted, encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#
# Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`
# Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
# for the boot drive's CoreStorage volume.
LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`
CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`
CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`
ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
SIZE=`diskutil cs list $LV_UUID | awk '/Size \(Total\)/ {print $5,$6;exit}'`
# This section does checking of the Mac's FileVault 2 status if the boot drive is formatted with HFS+
if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
echo "<result>FileVault 2 Encryption Not Enabled</result>"
elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then
echo "<result>FileVault 2 Encryption Complete</result>"
else
if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then
diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
fi
elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
echo "<result>FileVault 2 Decryption Completed</result>"
fi
fi
fi
fi
else
echo "<result>Unknown filesystem.</result>"
fi
fi
fi
# Remove the temp files created during the script
if [ -f "$CORESTORAGESTATUS" ]; then
rm -f "$CORESTORAGESTATUS"
fi
if [ -f "$ENCRYPTSTATUS" ]; then
rm -f "$ENCRYPTSTATUS"
fi
if [ -f "$ENCRYPTDIRECTION" ]; then
rm -f "$ENCRYPTDIRECTION"
fi
exit 0
Then create a smart group like this:
just modify the settings in the smart group like you want.
Posted on 05-25-2023 06:00 AM
Hey mickl089,
thanks for your quick reply. I have seen this post myself, but 1. i cant confirm if its outdated and 2. This dosent check if a key present. As i already said some of my users have an invalid or unknown Filevault 2 Setup but still have a key, or even the other way round. They have no Key but the Disk is Encrypted. I guess it will boil down to manually searching for them.
Thanks,
Raffael
Posted on 05-25-2023 06:07 AM
@Raffael , I've attached an image of the smart group I use to find keys in my Org which are not valid. I can verify it works. If you set it up like this, mind the parentheses. I exclude Mac minis in our environment because they're desktops. So, if you have iMacs or other desktops, you may want to exclude those. Up to you. Hope it helps.