Skip to main content

Hi -- Thank you in advance for any help you can provide or guidance. Were still new to the JSS. JAMF helped us get a script going that, in the event a self-enrolled mac was already Filevault2'd, it was prompt the user for their local admin password, recreate the key and it would upload to the JSS. The script was working fine up to a few days ago, and we havent changed anything in the JSS. The script does run successfully, and it shows that in the logs, it also shows the new key in the client logs on the JSS.. We have a smart group that populates any mac that has an individual key that is unknown, runs the script and what used to happen was it would change to valid and be removed from that smart group. Here is the script, and this may not be enough information to help, but im hoping someone can shoot me in the right direction. 

## Get the logged in user's name
userName=$(/usr/bin/stat -f%Su /dev/console)

## Get the OS version
OS=`/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" != "${userName}" ]; then
    echo "This user is not a FileVault 2 enabled user."
    exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
    echo "The encryption process has not completed."
    echo "${encryptCheck}"
    exit 4
fi

## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass="$(/usr/bin/osascript -e 'Tell application "System Events" to display dialog "Enter Your Local MAC Password, This is not your UCHAD, BSDAD or CNET:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"

echo "Issuing new recovery key"

if [[ $OS -ge 9  ]]; then
    ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
    expect -c "
    log_user 0
    spawn fdesetup changerecovery -personal
    expect "Enter a password for '/', or the recovery key:"
    send "${userPass}"
    log_user 1
    expect eof
    "
else
    echo "OS version not 10.9+ or OS version unrecognized"
    echo "$(/usr/bin/sw_vers -productVersion)"
    exit 5
fi

exit 0

Looking at the script I can see where it is asking for the user password and generating new keys etc but nothing to do with uploading to the JSS. The output would be added to the Casper logs automatically but the missing piece of the puzzle is the logic in the smart group. Could you share a screenshot of the smart group criteria?

Do you have a configuration profile installed on these machines which redirects the FV2 key to the JSS?

I'm working with support with the same issue. Keys not showing up even with the key redirection profile. Is your JSS hosted with JAMF? At this point it looks like this issue is related to that somehow.

You definitely need a configuration profile for key redirection set up on these machines for the key to bey escrowed in the JSS.

Terms & ConditionsCookie settingsAccessibility statement