Jamf Nation Community

jthurwood · ‎09-22-2014

Since encrypting our Macs using FileVault we have been faced with a headache when a new user/Freelance user needs to log in to them. Historically on a Monday morning the user could log in using the traditional name/password login window but now with encryption you can only log in with a user account that has logged in previously.
Last week i was set with the task of doing something about it. I wanted to find a way that i could get a user account created from Self Service where a user could log in on a Friday afternoon run a policy that would create a user and enable the user in FileVault. Please see below the script i created to do the job, you must have CocoaDialog installed which does a brilliant job of requesting the username and password. Thanks to @stevewood for the FileVault plist part of the script.

# Joe Thurwood 17/09/2014
#
# Create new user script, used in Self service
# this script will create a new user based on
# the credentials supplied. It also enables # the user in FileVault

# Set cocoaDialog location
CD="/private/etc/Ogilvy/Applications/CocoaDialog.app/Contents/MacOS/CocoaDialog"

# Dialog to enter the User name and the create $USERNAME variable
rv=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Enter the name of the new user to add"))

USERNAME=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Cancelling" exit
fi

# Dialog to enter the Password and the create $PASSWORD variable
rv=($($CD secure-standard-inputbox --title "Password" --no-newline --informative-text "Enter the password of the new user to add"))

PASSWORD=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Canceling" exit
fi

#Create Mobile Account
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $USERNAME -p $PASSWORD > /dev/null 2>&1

# create the FileVault plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$4'</string>
<key>Password</key>
<string>'$5'</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>'$USERNAME'</string>
<key>Password</key>
<string>'$PASSWORD'</string>
</dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist

# now add user to FileVault
sudo fdesetup add -i < /tmp/fvenable.plist

# remove fvenable.plist
rm /tmp/fvenable.plist

RaulSantos · ‎09-22-2014

Great work Joe. Nice your still on this.

jthurwood · ‎09-23-2014

Thank Raul, I hope you're well.

Person · ‎09-23-2014

Thank You!

jhbush · ‎09-23-2014

@jthurwood just so I'm clear does this work for domain accounts only or can you create accounts named whatever you want? I'm guessing domain only and thanks for posting this very nice example of CD.

mm2270 · ‎09-23-2014

Looks like its for domain accounts only since its using createmobileaccount, which only works on creating accounts based in AD or some other directory service.

The only thing I want to point out with some of these scripts is that no-one seems to verifying the password against the actual account to make sure its the right password. I'm not certain how safe it is to rely on the end user to enter the correct password and then create the account and add to FileVault. If someone miskeys something by accident, you've created and added an account that the actual user cannot log into come time for them to. I believe FileVault will take whatever password you pass to the xml file when adding the user and that will become the only password accepted at the Pre-boot unlock screen for that account. I may be wrong on that last part, but I don't know that it actually verifies the account against AD.

There are ways of verifying an AD account name and password are accurate. If you'd like an example of how to do that I can post a script I have that uses CD to do that.

jhbush · ‎09-23-2014

@mm2270 I was wondering that myself after I realized the script was using creatmobileaccount. Please post your account and password check when you get a chance. I'm still trying to make better use of CD.

jthurwood · ‎09-23-2014

@jhbush1973 This uses the createmobileaccount syntax so would only add accounts from AD.

@mm2270 If the user inputs the wrong password the account can not be verified against AD and the policy will fail. At least thats how i expect it to work. An example of how you can verify would be useful though.

Thanks

Joe

jhbush · ‎09-23-2014

@jthurwood and @mm2270 yes it fails if you enter the wrong username or wrong password.

mm2270 · ‎09-23-2014

Ah, my mistake then. I see that you have the password entered as part of the createmobilaccount line, which indeed would fail if the wrong password is entered, so you're correct. I didn't see that before. That should be verification enough.
Although, what actually happens at that point? Do they just re-run the SS policy again? I have not run your script so I'm just wondering.

tkimpton · ‎09-22-2015

This is great, but its just been pointed out to me that it doesn't work if the users AD password has a space in it :(

Any idea how to make it work with spaces?

Lotusshaney · ‎09-23-2015

dscl /Local/Default -authonly "$username" "$password"

Exit status will reflect if the password is correct or not

This will work for any Directory Service the mac is bound to, so local users AD and OD

tkimpton · ‎09-23-2015

Ok great. How can I use that in the script and make CD work with a password which has spaces in it?

CAJensen01 · ‎10-20-2015

tkimpton,

"$CD"

Jamf Nation Community

Creating a new user from Self Service