Skip to main content
Question

Swift Dialog script to view personal FV keys

  • December 21, 2024
  • 0 replies
  • 4 views
S
Forum|alt.badge.img+9

Greetings All!,

Just getting started on my road to JAMF admin and am slowly building up my library of First Aid apps inside of Self service.  Trying to eliminate tickets coming my way and empowering the Help Desk to do some of this stuff.  I created this script to view the Personal FV Keys from the server without have to give anyone rights into the server.  This script is not perfect in any way, but I thought I would share it with the group nonetheless.  This using SwiftDialog for the GUI and was taken from a lot of GitHub scripts and customized it for my needs.  Enjoy!

 

 

#!/bin/zsh # This script retrieves the Personal FileVault Key for a particular computer # # Written by: Scott Kendall 12-20-2024 # Last Modified on: 12-20-2024 jamfpro_user=${4} jamfpro_password=${5} declare api_token declare api_authentication_check declare ID declare reason declare serial_num ###################################################################################################### # # Gobal "Common" variables # ###################################################################################################### export PATH=/usr/bin:/bin:/usr/sbin:/sbin LOGGED_IN_USER=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) USER_DIR=$( dscl . -read /Users/${LOGGED_IN_USER} NFSHomeDirectory | awk '{ print $2 }' ) SW_DIALOG="/usr/local/bin/dialog" OVERLAY_ICON="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" SD_BANNER_IMAGE="<insert banner image here>.png" SD_WINDOW_TITLE=" View FileVault Recovery Key" LOG_STAMP=$(echo $(/bin/date +%Y%m%d)) LOG_DIR="<insert log directory here>" LOG_FILE="${LOG_DIR}/View_FileVault_Key.log" # Swift Dialog version requirements [[ -e "/usr/local/bin/dialog" ]] && SD_VERSION=$( ${SW_DIALOG} --version) || SD_VERSION="0.0.0" MIN_SD_REQUIRED_VERSION="2.3.3" DIALOG_INSTALL_POLICY="install_SwiftDialog" #################################################################################################### # # Functions # #################################################################################################### function create_log_directory () { # Ensure that the log directory and the log files exist. If they # do not then create them and set the permissions. # # RETURN: None # If the log directory doesnt exist - create it and set the permissions if [[ ! -d "${LOG_DIR}" ]]; then /bin/mkdir -p "${LOG_DIR}" /bin/chmod 755 "${LOG_DIR}" fi # If the log file does not exist - create it and set the permissions if [[ ! -f "${LOG_FILE}" ]]; then /usr/bin/touch "${LOG_FILE}" /bin/chmod 644 "${LOG_FILE}" fi } function logMe () { # Basic two pronged logging function that will log like this: # # 20231204 12:00:00: Some message here # # This function logs both to STDOUT/STDERR and a file # The log file is set by the $LOG_FILE variable. # # RETURN: None echo "${1}" 1>&2 echo "$(/bin/date '+%Y%m%d %H:%M:%S'): ${1}\\n" >> "${LOG_FILE}" } function check_swift_dialog_install () { # Check to make sure that Swift Dialog is installed and functioning correctly # Will install process if missing or corrupted # # RETURN: None logMe "Ensuring that swiftDialog version is installed..." if [[ ! -x "/usr/local/bin/dialog" ]]; then logMe "Swift Dialog is missing or corrupted - Installing from JAMF" install_swift_dialog SD_VERSION=$( ${SW_DIALOG} --version) fi if ! is-at-least "${MIN_SD_REQUIRED_VERSION}" "${SD_VERSION}"; then logMe "Swift Dialog is outdated - Installing version '${MIN_SD_REQUIRED_VERSION}' from JAMF..." install_swift_dialog else logMe "Swift Dialog is currently running: ${SD_VERSION}" fi } function install_swift_dialog () { # Install Swift dialog From JAMF # PARMS Expected: DIALOG_INSTALL_POLICY - policy # from JAMF # # RETURN: None /usr/local/bin/jamf policy -trigger ${DIALOG_INSTALL_POLICY} } function display_welcome_message () { MainDialogBody="${SW_DIALOG} \\ --bannerimage \\"${SD_BANNER_IMAGE}\\" \\ --bannertitle \\"${SD_WINDOW_TITLE}\\" \\ --icon \\"${OVERLAY_ICON}\\" --iconsize 100 \\ --message \\"Please enter the serial of the device you wish to see the FV Recovey Key for. \\n\\n You must also provide a reason for retreiving the Recovery Key.\\" \\ --messagefont name=Arial,size=17 \\ --textfield \\"Device,required\\" \\ --textfield \\"Reason,required\\" \\ --button1text \\"Continue\\" \\ --button2text \\"Quit\\" \\ --vieworder \\"dropdown,textfield\\" \\ --selecttitle \\"Serial\\",required \\ --selectvalues \\"Serial Number,Hostname\\" \\ --selectdefault \\"Hostname\\" \\ --ontop \\ --height 400 \\ --json \\ --moveable" message=$(eval "$MainDialogBody") buttonpress=$? [[ $buttonpress = 2 ]] && exit 0 #DROPDOWN=$(echo $message | awk -F '"SelectedOption" : "' '{print$2}' | awk -F '"' '{print$1}') serial_num=$(echo $message | grep "Device" | awk -F '"Device" : "' '{print$2}' | awk -F '"' '{print$1}') reason=$(echo $message | grep "Reason" | awk -F '"Reason" : "' '{print$2}' | awk -F '"' '{print$1}') # Thanks to ons-mart https://github.com/ons-mart } function Get_JAMF_DeviceID () { ID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${api_token}" ${jamfpro_url}/JSSResource/computers/serialnumber/"$serial_num" | xmllint --xpath '/computer/general/id/text()' -) } function Get_JamfPro_API_Token () { # This function uses Basic Authentication to get a new bearer token for API authentication. # Use user account's username and password credentials with Basic Authorization to request a bearer token. api_token=$(/usr/bin/curl -X POST --silent -u "${jamfpro_user}:${jamfpro_password}" "${jamfpro_url}/api/v1/auth/token" | plutil -extract token raw -) } function API_Token_Valid_Check () { # Verify that API authentication is using a valid token by running an API command # which displays the authorization details associated with the current API user. # The API call will only return the HTTP status code. api_authentication_check=$(/usr/bin/curl --write-out %{http_code} --silent --output /dev/null "${jamfpro_url}/api/v1/auth" --request GET --header "Authorization: Bearer ${api_token}") } function Check_And_Renew_API_Token () { # Verify that API authentication is using a valid token by running an API command # which displays the authorization details associated with the current API user. # The API call will only return the HTTP status code. API_Token_Valid_Check # If the api_authentication_check has a value of 200, that means that the current # bearer token is valid and can be used to authenticate an API call. if [[ ${api_authentication_check} == 200 ]]; then # If the current bearer token is valid, it is used to connect to the keep-alive endpoint. This will # trigger the issuing of a new bearer token and the invalidation of the previous one. api_token=$(/usr/bin/curl "${jamfpro_url}/api/v1/auth/keep-alive" --silent --request POST --header "Authorization: Bearer ${api_token}" | plutil -extract token raw -) else # If the current bearer token is not valid, this will trigger the issuing of a new bearer token # using Basic Authentication. Get_JamfPro_API_Token fi } function FileVault_Recovery_Key_Valid_Check () { # Verify that a FileVault recovery key is available by running an API command # which checks if there is a FileVault recovery key present. # # The API call will only return the HTTP status code. filevault_recovery_key_check=$(/usr/bin/curl --write-out %{http_code} --silent --output /dev/null "${jamfpro_url}/api/v1/computers-inventory/$ID/filevault" --request GET --header "Authorization: Bearer ${api_token}") } function FileVault_Recovery_Key_Retrieval () { # Retrieves a FileVault recovery key from the computer inventory record. filevault_recovery_key_retrieved=$(/usr/bin/curl -sf --header "Authorization: Bearer ${api_token}" "${jamfpro_url}/api/v1/computers-inventory/$ID/filevault" -H "Accept: application/json" | plutil -extract personalRecoveryKey raw -) } ######################## # # Start of Main Program # ######################## # Get Jamf Pro API bearer token jamfpro_url=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url) jamfpro_url=${jamfpro_url%%/} display_welcome_message Get_JamfPro_API_Token Get_JAMF_DeviceID if [[ "${ID}" == "" ]]; then $SW_DIALOG \\ --bannerimage "${SD_BANNER_IMAGE}" \\ --bannertitle "${SD_WINDOW_TITLE}" \\ --icon "${OVERLAY_ICON}" --iconsize 100 \\ --message "Device inventory not found. \\n\\nPlease make sure the device name or serial is correct." \\ --messagefont "name=Arial,size=17" \\ --ontop \\ --moveable \\ --small exit 1 fi Check_And_Renew_API_Token FileVault_Recovery_Key_Valid_Check FileVault_Recovery_Key_Retrieval # Show the result $SW_DIALOG \\ --bannerimage "${SD_BANNER_IMAGE}" \\ --bannertitle "${SD_WINDOW_TITLE}" \\ --icon "${OVERLAY_ICON}" --iconsize 100 \\ --message "The Recovery Key for $serial_num is: <br>**$filevault_recovery_key_retrieved**" \\ --messagefont "name=Arial,size=17" \\ --width 900 \\ --ontop \\ --moveable \\ --small & exit 0

 

Just getting started on my road to JAMF admin and am slowly building up my library of First Aid apps inside of Self service.  Trying to eliminate tickets coming my way and empowering the Help Desk to do some of this stuff.  I created this script to view the Personal FV Keys from the server without have to give anyone rights into the server.  This script is not perfectly in any way, but I thought I would share it with the group nonetheless.  This using SwiftDialog for the GUI and was taken from a lot of GitHub scripts and customized it for my needs.  Enjoy!

    0 replies

    Be the first to reply!

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings