Posted on 08-24-2023 12:02 PM
Hi there,
Does anyone have a working method of disabling FileVault maybe through a script? The FileVault user is not the prestaged local admin account but the users themselves. Most likely this will require input from the user which is completely fine.
One of the ways of doing this I thought of but may not work is to enable FileVault on the prestaged local admin through a script and then turn off FileVault alltogether but I'm just checking if anyone else dealt with this issue in a more graceful way.
Solved! Go to Solution.
08-24-2023 12:39 PM - edited 08-24-2023 12:44 PM
You should be enabling and disabling FileVault with Configuration Profiles. However, fdesetup is the binary you are looking for. It is possible to fully script disabling FileVault if you have the username and password for a secure token holding account.
This is the script I had used to enable FileVault until recently. It can be adapted to disable FileVault simply enough.
# Exit Codes
# 0 - Success: General Success
# 1 - Failed: Admin account credentials are not correct
# 2 - Failed: Mac not domain bound, or otherwise cannot talk to the domain controller
# 3 - Failed: User account to be cached not found in Active Directory
# 4 - Success: FileVault Not enabled
echo "Begin script"
# Gather and verify admin account
#*------------------------ STRING DECRYPTION ------------------------*#
#It is recommented to salt the password so it is not in plane text
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
## verify that adminuser and pass variables are both passed to the user
if [[ -z "$adminUser" ]] || [[ -z "$adminPass" ]] ; then
dialog="either Admin User or Password is missing"
echo "$dialog"
cmd="Tell app \"System Events\" to display dialog \"$dialog\""
/usr/bin/osascript -e "$cmd"
exit 1
## check the admin password
adminCheck=$(/usr/bin/dscl /Local/Default -authonly "$adminUser" "$adminPass")
if [[ -z "$adminCheck" ]] ; then
echo "Admin password is verified"
echo "Admin Password not working"
exit 1
# Popups asking for user to ender userID and Password
#this section uses Apple Script to prompt the user to enter their credentials to create a variable to be able to call the user name and password later in the script.
echo "Prompting for userToAdd credentials."
## Prompt for Username
tell application "System Events"
set the answer to text returned of (display dialog "Enter your userID:" default answer "" buttons {"Continue"} default button 1)
end tell
## Prompt for Password
tell application "System Events"
set the answer to text returned of (display dialog "Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
while [ "$loopCount" -lt 3 ]; do
# Refresh Directory Services
if [[ ${osvers} -ge 7 ]]; then
/usr/bin/killall opendirectoryd
/usr/bin/killall DirectoryService
sleep 15
## try to auth the user in advance. this seems to increase the success of the ID command.
/usr/bin/dscl /Search -authonly "$userToAdd" "$userPass"
adCheck=`id $userToAdd`
echo "AD Check is: $adCheck"
if [[ -z "$adCheck" ]] ; then
echo "AD Check successful"
# Remove FV Access if existing
#If the user has a filevault token from another source this section will remove the filevault token to prevent errors.
sleep 2
sudo fdesetup remove -user $userToAdd
## Get the user to be added to FV
## This "expect" block will populate answers for the sysadminctl variables.
# Useing sysadminctl instead of fdesetup to provision a filevault token
sysadminctl -adminUser "$adminUser" -adminPassword "$adminPass" -secureTokenOn "$userName" -password "$userPass"
#/dev/null can be replaced with a log file to echo the results to.
echo "${userName} has been added to the FileVault 2 list." >> /dev/null
# Clean up
echo "Script completed"
exit 0
08-24-2023 12:39 PM - edited 08-24-2023 12:44 PM
You should be enabling and disabling FileVault with Configuration Profiles. However, fdesetup is the binary you are looking for. It is possible to fully script disabling FileVault if you have the username and password for a secure token holding account.
This is the script I had used to enable FileVault until recently. It can be adapted to disable FileVault simply enough.
# Exit Codes
# 0 - Success: General Success
# 1 - Failed: Admin account credentials are not correct
# 2 - Failed: Mac not domain bound, or otherwise cannot talk to the domain controller
# 3 - Failed: User account to be cached not found in Active Directory
# 4 - Success: FileVault Not enabled
echo "Begin script"
# Gather and verify admin account
#*------------------------ STRING DECRYPTION ------------------------*#
#It is recommented to salt the password so it is not in plane text
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
## verify that adminuser and pass variables are both passed to the user
if [[ -z "$adminUser" ]] || [[ -z "$adminPass" ]] ; then
dialog="either Admin User or Password is missing"
echo "$dialog"
cmd="Tell app \"System Events\" to display dialog \"$dialog\""
/usr/bin/osascript -e "$cmd"
exit 1
## check the admin password
adminCheck=$(/usr/bin/dscl /Local/Default -authonly "$adminUser" "$adminPass")
if [[ -z "$adminCheck" ]] ; then
echo "Admin password is verified"
echo "Admin Password not working"
exit 1
# Popups asking for user to ender userID and Password
#this section uses Apple Script to prompt the user to enter their credentials to create a variable to be able to call the user name and password later in the script.
echo "Prompting for userToAdd credentials."
## Prompt for Username
tell application "System Events"
set the answer to text returned of (display dialog "Enter your userID:" default answer "" buttons {"Continue"} default button 1)
end tell
## Prompt for Password
tell application "System Events"
set the answer to text returned of (display dialog "Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
while [ "$loopCount" -lt 3 ]; do
# Refresh Directory Services
if [[ ${osvers} -ge 7 ]]; then
/usr/bin/killall opendirectoryd
/usr/bin/killall DirectoryService
sleep 15
## try to auth the user in advance. this seems to increase the success of the ID command.
/usr/bin/dscl /Search -authonly "$userToAdd" "$userPass"
adCheck=`id $userToAdd`
echo "AD Check is: $adCheck"
if [[ -z "$adCheck" ]] ; then
echo "AD Check successful"
# Remove FV Access if existing
#If the user has a filevault token from another source this section will remove the filevault token to prevent errors.
sleep 2
sudo fdesetup remove -user $userToAdd
## Get the user to be added to FV
## This "expect" block will populate answers for the sysadminctl variables.
# Useing sysadminctl instead of fdesetup to provision a filevault token
sysadminctl -adminUser "$adminUser" -adminPassword "$adminPass" -secureTokenOn "$userName" -password "$userPass"
#/dev/null can be replaced with a log file to echo the results to.
echo "${userName} has been added to the FileVault 2 list." >> /dev/null
# Clean up
echo "Script completed"
exit 0
08-24-2023 01:56 PM - edited 08-24-2023 01:57 PM
Thank you. I've adapted your script and tested. With a user password input the script is able to turn off FileVault
# Popups asking for user to ender userID and Password
#this section uses Apple Script to prompt the user to enter their credentials to create a variable to be able to call the user name and password later in the script.
echo "Prompting for userToAdd credentials."
## Get the logged in user's name
userToAdd=$(/usr/bin/stat -f%Su /dev/console)
## Prompt for Password
tell application "System Events"
set the answer to text returned of (display dialog "Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
# Remove FV Access if existing
#If the user has a filevault token from another source this section will remove the filevault token to prevent errors.
sleep 2
sudo fdesetup disable -user $userToAdd -password $userPass
Posted on 12-02-2024 11:11 AM
Is there a way to disable FileVault for a computer without user input? I am starting to see a prompt to enable FV, but I haven't requested it.