- Jamf Nation Community
- Products
- Jamf Pro
- With FileVault 2, how can I best add multiple loca...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
With FileVault 2, how can I best add multiple local accounts?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-27-2015 11:21 AM
Age-old question - but how can I authorize additional local users for FileVault2.
I have their usernames, and I have their passwords. These are either accounts used by support or as generic logins.
I've seen that I can use fdesetup add --usertoadd -inputplist /path/to/plistfile, but that command prompts for a password or recovery key. I thought I could put the decoded output from my institutional recovery key (converted from cer using base64) in the plist file, but I'm still prompted for a password or recovery key.
Labels:
- Labels:
-
FileVault 2
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-27-2015 11:35 AM
The plist route will be your best bet unless you are looking to remote into each Mac to add the users manually.
The plist is going to look something like this, where fv2acct_name and fv2acct_pass are going to be an existing authorized FileVault's username & password respectively, and account_name and account_password will be the account you want to add into FileVault's authorized list.
You can add in multiple accounts at once I believe by simply adding in additional <key>Username</key> and <key>Password</key> plus the respective <string> lines with the values beneath each, all under the AdditionalUsers section.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>fv2acct_name</string>
<key>Password</key>
<string>fv2acct_pass</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>account_name</string>
<key>Password</key>
<string>account_password</string>
</dict>
</array>
</dict>
</plist>Then use the above command to point fdesetup to it to add in the accounts. It will exit with a 0 status if successful, and not (obviously) if it fails.
One important thing to keep in mind when doing it this way is that obviously those names/passwords are in the clear in the plist file. If security is a concern, this could be a showstopper for you. If you decide to do this, make 100% certain you are deleting those plists immediately after they are successfully added to prevent them from being seen. Also, have your script generate the plist dynamically in some obscure location if possible.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-27-2015 02:41 PM
I was missing first Username/Password lines. I thought I could use the institutional recovery key. I still have that added (between </array> and </dict> for those at home), but I had to have a current FileVault2 user before the array. That seems to be doing the trick now. Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-28-2015 04:54 AM
For more information about adding additional users with a plist, I have a post on this (see the Adding Additional Users After Filevault 2 Has Been Enabled section) available from here:
https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/
This particular post covers fdesetup on 10.10.x, but the process of adding additional users with fdesetup using a plist hasn't changed since fdesetup's introduction in 10.8.x.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-28-2015 04:57 AM
You can reference an institutional key in a plist, but only for certain commands (unfortunately, fdesetup add is not one of them.) I have a post on this available from here:
This post references Mavericks, but the information also applies to Yosemite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-28-2015 07:11 AM
I also am trying to do this. I have the key on the JSS and it encrypts with the currently logged on user. Problem is I won't know the fv2acct_name and fv2acct_pass since its going to be one of the users in the company.
In the end all I want is another user at pre-boot authentication to allow me to get io the main login screen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-29-2015 02:34 PM
@Archer That's kind of what I'm working on. The problem, as @mm2270 pointed out is that you have to know the username and password of at least one FileVault enabled user. This means that you can't just image the machine and hand it out unfortunately.
In my case we still have to manually install Bomgar (insert long diatribe about their lack of easy enterprise deployment), so we have to log in before we hand off the machine.
So, the workflow I'm testing is...
- Post imaging log in as a local admin account to install Bomgar (and whatever last minute updates haven't been added in Casper).
- Policy kicks off to setup FileVault on logout of that local admin user using individual key and institutional key through Casper
- On next login a policy kicks off to add additional known local accounts to FileVault
- One of these known local accounts is a standard local account used for temporary users
- On handoff to customer they can startup and unlock FileVault with the standard local account and can then add themselves to FileVault (our normal users have admin access through their NT account, so they can authenticate in System Preferences even while logged in as a standard local account)
- If FileVault has already been unlocked, and the machine is on the corporate network, they can log in with their NT account and add themselves.
Right now though I'm still stuck on adding known local accounts.
Rich (@rtrouton), thanks for the info (and your site in genera). I've already spent a LOT of time there. I hope HHMI pays you a LOT of money to stay. :-)
I guess its safe to assume that if the institutional key has been set for the initial user (through a Casper policy), it's not needed for additional users, which would mean I wouldn't need it in my plist file. So that's good.
But, in testing fdesetup add -inputplist /tmp/localusers.plist nothing happens. The terminal just sits there without responding until I cancel and nothing shows up in the console. I'm stumped.
Here's the plist I'm using...
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_enabled_account</string>
<key>Password</key>
<string>password</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>local_standard_account</string>
<key>Password</key>
<string>password</string>
</dict>
</array>
</dict>
</plist>Any thoughts? Something obvious I'm missing?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2015 01:45 PM
fdesetup supports importing a properly formatted plist via a standard input stream (stdin):
fdesetup add -inputplist < /path/to/filename.plist
It looks like you're missing the needed stdin < in the command listed above. This updated command should work:
fdesetup add -inputplist < /tmp/localusers.plist
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2015 06:22 PM
Yep... that'd be it. I was using >, so I was writing out. sigh. :-)
