Skip to main content
Solved

Turn off FileVault script


_aDiedericks
Forum|alt.badge.img+8

Hi there,

Does anyone have a working method of disabling FileVault maybe through a script? The FileVault user is not the prestaged local admin account but the users themselves. Most likely this will require input from the user which is completely fine.

One of the ways of doing this I thought of but may not work is to enable FileVault on the prestaged local admin through a script and then turn off FileVault alltogether but I'm just checking if anyone else dealt with this issue in a more graceful way.

Best answer by AJPinto

You should be enabling and disabling FileVault with Configuration Profiles. However, fdesetup is the binary you are looking for. It is possible to fully script disabling FileVault if you have the username and password for a secure token holding account.

 

 

  • sudo fdesetup enable
  • sudo fdesetup disable

 

 

This is the script I had used to enable FileVault until recently. It can be adapted to disable FileVault simply enough.

#!/bin/bash ###################### # Exit Codes # 0 - Success: General Success # 1 - Failed: Admin account credentials are not correct # 2 - Failed: Mac not domain bound, or otherwise cannot talk to the domain controller # 3 - Failed: User account to be cached not found in Active Directory # 4 - Success: FileVault Not enabled ###################### echo "Begin script" ###################### # Gather and verify admin account ###################### #*------------------------ STRING DECRYPTION ------------------------*# #It is recommented to salt the password so it is not in plane text adminUser="LocalAdminUserNameHere" adminPass="LocalAdminPasswordHere" osvers=$(sw_vers -productVersion | awk -F. '{print $2}') check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` ## verify that adminuser and pass variables are both passed to the user if [[ -z "$adminUser" ]] || [[ -z "$adminPass" ]] ; then dialog="either Admin User or Password is missing" echo "$dialog" cmd="Tell app \\"System Events\\" to display dialog \\"$dialog\\"" /usr/bin/osascript -e "$cmd" exit 1 fi ## check the admin password adminCheck=$(/usr/bin/dscl /Local/Default -authonly "$adminUser" "$adminPass") if [[ -z "$adminCheck" ]] ; then echo "Admin password is verified" else echo "Admin Password not working" exit 1 fi ###################### # Popups asking for user to ender userID and Password ###################### #this section uses Apple Script to prompt the user to enter their credentials to create a variable to be able to call the user name and password later in the script. echo "Prompting for userToAdd credentials." ## Prompt for Username userToAdd=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your userID:" default answer "" buttons {"Continue"} default button 1) end tell END ) ## Prompt for Password userPass=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1) end tell END ) loopCount=0 while [ "$loopCount" -lt 3 ]; do # Refresh Directory Services if [[ ${osvers} -ge 7 ]]; then /usr/bin/killall opendirectoryd else /usr/bin/killall DirectoryService fi sleep 15 ## try to auth the user in advance. this seems to increase the success of the ID command. /usr/bin/dscl /Search -authonly "$userToAdd" "$userPass" adCheck=`id $userToAdd` echo "AD Check is: $adCheck" if [[ -z "$adCheck" ]] ; then ((loopCount++)) else echo "AD Check successful" break fi done ###################### # Remove FV Access if existing ###################### #If the user has a filevault token from another source this section will remove the filevault token to prevent errors. sleep 2 sudo fdesetup remove -user $userToAdd ## Get the user to be added to FV userName=$userToAdd ## This "expect" block will populate answers for the sysadminctl variables. # Useing sysadminctl instead of fdesetup to provision a filevault token sysadminctl -adminUser "$adminUser" -adminPassword "$adminPass" -secureTokenOn "$userName" -password "$userPass" #/dev/null can be replaced with a log file to echo the results to. echo "${userName} has been added to the FileVault 2 list." >> /dev/null ###################### # Clean up ###################### echo "Script completed" exit 0

 

 

View original
Did this topic help you find an answer to your question?

3 replies

AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2717 replies
  • Answer
  • August 24, 2023

You should be enabling and disabling FileVault with Configuration Profiles. However, fdesetup is the binary you are looking for. It is possible to fully script disabling FileVault if you have the username and password for a secure token holding account.

 

 

  • sudo fdesetup enable
  • sudo fdesetup disable

 

 

This is the script I had used to enable FileVault until recently. It can be adapted to disable FileVault simply enough.

#!/bin/bash ###################### # Exit Codes # 0 - Success: General Success # 1 - Failed: Admin account credentials are not correct # 2 - Failed: Mac not domain bound, or otherwise cannot talk to the domain controller # 3 - Failed: User account to be cached not found in Active Directory # 4 - Success: FileVault Not enabled ###################### echo "Begin script" ###################### # Gather and verify admin account ###################### #*------------------------ STRING DECRYPTION ------------------------*# #It is recommented to salt the password so it is not in plane text adminUser="LocalAdminUserNameHere" adminPass="LocalAdminPasswordHere" osvers=$(sw_vers -productVersion | awk -F. '{print $2}') check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` ## verify that adminuser and pass variables are both passed to the user if [[ -z "$adminUser" ]] || [[ -z "$adminPass" ]] ; then dialog="either Admin User or Password is missing" echo "$dialog" cmd="Tell app \\"System Events\\" to display dialog \\"$dialog\\"" /usr/bin/osascript -e "$cmd" exit 1 fi ## check the admin password adminCheck=$(/usr/bin/dscl /Local/Default -authonly "$adminUser" "$adminPass") if [[ -z "$adminCheck" ]] ; then echo "Admin password is verified" else echo "Admin Password not working" exit 1 fi ###################### # Popups asking for user to ender userID and Password ###################### #this section uses Apple Script to prompt the user to enter their credentials to create a variable to be able to call the user name and password later in the script. echo "Prompting for userToAdd credentials." ## Prompt for Username userToAdd=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your userID:" default answer "" buttons {"Continue"} default button 1) end tell END ) ## Prompt for Password userPass=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1) end tell END ) loopCount=0 while [ "$loopCount" -lt 3 ]; do # Refresh Directory Services if [[ ${osvers} -ge 7 ]]; then /usr/bin/killall opendirectoryd else /usr/bin/killall DirectoryService fi sleep 15 ## try to auth the user in advance. this seems to increase the success of the ID command. /usr/bin/dscl /Search -authonly "$userToAdd" "$userPass" adCheck=`id $userToAdd` echo "AD Check is: $adCheck" if [[ -z "$adCheck" ]] ; then ((loopCount++)) else echo "AD Check successful" break fi done ###################### # Remove FV Access if existing ###################### #If the user has a filevault token from another source this section will remove the filevault token to prevent errors. sleep 2 sudo fdesetup remove -user $userToAdd ## Get the user to be added to FV userName=$userToAdd ## This "expect" block will populate answers for the sysadminctl variables. # Useing sysadminctl instead of fdesetup to provision a filevault token sysadminctl -adminUser "$adminUser" -adminPassword "$adminPass" -secureTokenOn "$userName" -password "$userPass" #/dev/null can be replaced with a log file to echo the results to. echo "${userName} has been added to the FileVault 2 list." >> /dev/null ###################### # Clean up ###################### echo "Script completed" exit 0

 

 


_aDiedericks
Forum|alt.badge.img+8
  • Author
  • Contributor
  • 48 replies
  • August 24, 2023
AJPinto wrote:

You should be enabling and disabling FileVault with Configuration Profiles. However, fdesetup is the binary you are looking for. It is possible to fully script disabling FileVault if you have the username and password for a secure token holding account.

 

 

  • sudo fdesetup enable
  • sudo fdesetup disable

 

 

This is the script I had used to enable FileVault until recently. It can be adapted to disable FileVault simply enough.

#!/bin/bash ###################### # Exit Codes # 0 - Success: General Success # 1 - Failed: Admin account credentials are not correct # 2 - Failed: Mac not domain bound, or otherwise cannot talk to the domain controller # 3 - Failed: User account to be cached not found in Active Directory # 4 - Success: FileVault Not enabled ###################### echo "Begin script" ###################### # Gather and verify admin account ###################### #*------------------------ STRING DECRYPTION ------------------------*# #It is recommented to salt the password so it is not in plane text adminUser="LocalAdminUserNameHere" adminPass="LocalAdminPasswordHere" osvers=$(sw_vers -productVersion | awk -F. '{print $2}') check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` ## verify that adminuser and pass variables are both passed to the user if [[ -z "$adminUser" ]] || [[ -z "$adminPass" ]] ; then dialog="either Admin User or Password is missing" echo "$dialog" cmd="Tell app \\"System Events\\" to display dialog \\"$dialog\\"" /usr/bin/osascript -e "$cmd" exit 1 fi ## check the admin password adminCheck=$(/usr/bin/dscl /Local/Default -authonly "$adminUser" "$adminPass") if [[ -z "$adminCheck" ]] ; then echo "Admin password is verified" else echo "Admin Password not working" exit 1 fi ###################### # Popups asking for user to ender userID and Password ###################### #this section uses Apple Script to prompt the user to enter their credentials to create a variable to be able to call the user name and password later in the script. echo "Prompting for userToAdd credentials." ## Prompt for Username userToAdd=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your userID:" default answer "" buttons {"Continue"} default button 1) end tell END ) ## Prompt for Password userPass=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1) end tell END ) loopCount=0 while [ "$loopCount" -lt 3 ]; do # Refresh Directory Services if [[ ${osvers} -ge 7 ]]; then /usr/bin/killall opendirectoryd else /usr/bin/killall DirectoryService fi sleep 15 ## try to auth the user in advance. this seems to increase the success of the ID command. /usr/bin/dscl /Search -authonly "$userToAdd" "$userPass" adCheck=`id $userToAdd` echo "AD Check is: $adCheck" if [[ -z "$adCheck" ]] ; then ((loopCount++)) else echo "AD Check successful" break fi done ###################### # Remove FV Access if existing ###################### #If the user has a filevault token from another source this section will remove the filevault token to prevent errors. sleep 2 sudo fdesetup remove -user $userToAdd ## Get the user to be added to FV userName=$userToAdd ## This "expect" block will populate answers for the sysadminctl variables. # Useing sysadminctl instead of fdesetup to provision a filevault token sysadminctl -adminUser "$adminUser" -adminPassword "$adminPass" -secureTokenOn "$userName" -password "$userPass" #/dev/null can be replaced with a log file to echo the results to. echo "${userName} has been added to the FileVault 2 list." >> /dev/null ###################### # Clean up ###################### echo "Script completed" exit 0

 

 


Thank you. I've adapted your script and tested. With a user password input the script is able to turn off FileVault

#!/bin/bash ###################### # Popups asking for user to ender userID and Password ###################### #this section uses Apple Script to prompt the user to enter their credentials to create a variable to be able to call the user name and password later in the script. echo "Prompting for userToAdd credentials." ## Get the logged in user's name userToAdd=$(/usr/bin/stat -f%Su /dev/console) ## Prompt for Password userPass=$(/usr/bin/osascript<<END tell application "System Events" activate set the answer to text returned of (display dialog "Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1) end tell END ) ###################### # Remove FV Access if existing ###################### #If the user has a filevault token from another source this section will remove the filevault token to prevent errors. sleep 2 sudo fdesetup disable -user $userToAdd -password $userPass
 

 


kwoodard
Forum|alt.badge.img+12
  • Valued Contributor
  • 280 replies
  • December 2, 2024

Is there a way to disable FileVault for a computer without user input? I am starting to see a prompt to enable FV, but I haven't requested it. 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings