FileVault 2 - Reissue Key script

jonnydford
Contributor II

Hey guys,

We use a personal key only on each Mac, but some Macs haven't been sending the key back to the JSS. We run deferred encryption, and I assume the reason we don't have the key is because they've completed the encryption at home so our JSS was not available at the time.

Assuming we have our admin account on the Mac as a FV2 user, what's the best way to reissue the FV2 key while they're in the office. I've tried it with an edited version one of JAMF's scripts (can't find it on the scripts page now but reproduced below).

Has anyone had any luck with this, and does anyone else have a lot of Macs where the key isn't being sent back to the JSS?

Script I'm testing:

#!/bin/bash

####################################################################################################
#
# Copyright (c) 2013, JAMF Software, LLC.  All rights reserved.
#
#       Redistribution and use in source and binary forms, with or without
#       modification, are permitted provided that the following conditions are met:
#               * Redistributions of source code must retain the above copyright
#                 notice, this list of conditions and the following disclaimer.
#               * Redistributions in binary form must reproduce the above copyright
#                 notice, this list of conditions and the following disclaimer in the
#                 documentation and/or other materials provided with the distribution.
#               * Neither the name of the JAMF Software, LLC nor the
#                 names of its contributors may be used to endorse or promote products
#                 derived from this software without specific prior written permission.
#
#       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# Description
#
#   The purpose of this script is to allow a new individual recovery key to be issued
#   if the current key is invalid and the management account is not enabled for FV2,
#   or if the machine was encrypted outside of the JSS.
#
#   First put a configuration profile for FV2 recovery key redirection in place.
#   Ensure keys are being redirected to your JSS.
#
#   This script will prompt the user for their password so a new FV2 individual
#   recovery key can be issued and redirected to the JSS.
#
####################################################################################################
# 
# HISTORY
#
#   -Created by Sam Fortuna on Sept. 5, 2014
#   -Updated by Sam Fortuna on Nov. 18, 2014
#       -Added support for 10.10
#
####################################################################################################
#
## Get the logged in user's name
userName=$(/usr/bin/stat -f%Su /dev/console)

## Get the OS version
OS=`/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`
if [ "${userCheck}" != "${userName}" ]; then
    echo "This user is not a FileVault 2 enabled user."
    exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
    echo "The encryption process has not completed."
    echo "${encryptCheck}"
    exit 4
fi

echo "Issuing new recovery key"

if [[ $OS -ge 9  ]]; then
    ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
    expect -c "
    log_user 0
    spawn fdesetup changerecovery -personal
    expect "Enter a password for '/', or the recovery key:"
    send "adminpassword"
    log_user 1
    expect eof
    "
else
    echo "OS version not 10.9+ or OS version unrecognized"
    echo "$(/usr/bin/sw_vers -productVersion)"
    exit 5
fi

exit 0
18 REPLIES 18

nessts
Valued Contributor II

there is a built in function that was added somewhere around 9.6 to do this. 36280a72ea174c1d9bfc373ecc6a8664

elliotjordan
Contributor III

For a while, I used a modified version of the reissueKey.sh script with two important modifications:

  • It was company-branded.
  • It validated the password before trying to use it to regenerate a key.

Here's the writeup I did about it.

@nessts's solution is definitely simpler, though, so use that if you can.

jonnydford
Contributor II

Oh wow, I always assumed that didn't work as I didn't have an institutional key to use to reissue.

Thanks a lot @nessts!

jonnydford
Contributor II

Damn, spoke too soon. Works on some but not others.

Actions from policy log:
    Executing Policy Reissue Key...
    Adding personal recovery key.
    Error remediating recovery key: Authentication error.
    Running Recon...

For information, we have a JSS management account which is hidden, then a separate admin account which is FV2 enabled.

mm2270
Legendary Contributor III

I believe that process only works if your JSS management account is also enabled to unlock the Mac at the FileVault login screen. Which is why we don't use that at all.

elliotjordan
Contributor III

@mm2270 I hadn't considered that — makes perfect sense.

So if your management account is FileVault enabled, then the built-in "Issue New Recovery Key" policy feature should work.

If, on the other hand, the end user is the only FileVault enabled account, then you need something like reissueKey.sh (or my custom version, linked above).

#TIL

donmontalvo
Esteemed Contributor III

Too bad Apple won't give us username/password fields at the FileVault2 window.

--
https://donmontalvo.com

mm2270
Legendary Contributor III
Too bad Apple won't give us username/password fields at the FileVault2 window.

Yeah, if I could have one single solitary wish for a future enhancement for FileVault, it would be for Apple to figure out how to give us the option of username/password fields instead of the nonsense user icons.

Oh, and making the password sync process actually work reliably might be a good thing too. If I had a nickel for every user that opens a ticket that they just changed their password in Users & Groups but FileVault is still only taking their old password....

bpavlov
Honored Contributor

All I can say is that you should contact your Apple rep and ask for a feature to be added to make Filevault Directory Services-aware.

It's a big enough feature that would cover quite a lot of customers and would get everyone what they really want which is to be able to log in with any mobile account into the computer. It's a pretty big ask but I encourage people to make the request. If you just ask for them to add the username/password fields, it's just not something that would get priority as it would affect a small percentage of Mac users (at least from Apple's POV). I can't say more than that.

donmontalvo
Esteemed Contributor III

We were told it isn't going to happen because their not enough space there to code that stuff. Probably more code than having your color avatar in the FV2 window. :/

--
https://donmontalvo.com

bmarks
Contributor II

Someone re-wrote this script utilizing CocoaDialog, and I had much more success testing that version, but somehow I completely zoned out and lost that version of the script. Searching hasn't helped me, so might anyone be able to link to or provide the CocoaDialog version of the key re-issue script?

bmarks
Contributor II

Actually, never mind. I found it in my email of saved JAMFNAtion responses even though I couldn't find it via the JAMFNAtion search.

elliotjordan
Contributor III

Hi @bmarks. Would you mind sharing the link with us? Thanks!

bmarks
Contributor II

I can't remember where or from whom I got this, so hopefully I can post this. To recap, this script doesn't seem to have the same issues when attempting to display the popups since it isn't using AppleScript. You still need the other pieces of this process in place, however, like the FV key redirect profile. And, you'd probably want to modify this to create a variable for your path to CocoaDialog.

#!/bin/sh
# Get List of FV Users
users=$(fdesetup list | awk -F ',' '{ print $1 }')
passdialog=`/Library/Application Support/JAMF/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog secure-inputbox --title "Enter Password" --informative-text "To re-issue the FileVault key, Enter the LOCAL password for any of the below users:
$users" --button1 "Continue" --button2 "Quit"`

# Get Button Clicked
passButtonClicked=$(echo "$passdialog" | awk 'NR==1{print}')

# Get User Selected
ADMINPASSWORD=$(echo "$passdialog" | awk 'NR>1{print}')  
echo $(echo "$passdialog" | awk 'NR==1{print}')
if [ $(echo "$passdialog" | awk 'NR==1{print}') = 2 ]
then
  echo "User Selected Quit"
  exit  
fi

echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Password</key>
<string>'$ADMINPASSWORD'</string>
</dict>
</plist>' > /Users/Shared/filevault.plist

KEY=$(fdesetup changerecovery -personal -inputplist < /Users/Shared/filevault.plist)
if [ $? == 0 ]
then
jamf displayMessage -message "$KEY"
echo $KEY | awk '{ print $NF }'
jamf recon
else
jamf displayMessage -message "Could NOT Set Recovery Key"
fi
rm /Users/Shared/filevault.plist

gachowski
Valued Contributor II

How about this?

In GitHub from MacBrained

bmarks
Contributor II

@gachowski That one doesn't work with certain policy triggers, including "recurring check-in." If you look at the open issue for that script, you'll see what I mean.

donmontalvo
Esteemed Contributor III

Sanity check: If the management account password is randomized, guessing it can never be FileVault 2 enabled...and thus never able to re-issue FileVault 2 key?

--
https://donmontalvo.com

mm2270
Legendary Contributor III

@donmontalvo The management account can be FileVault enabled, initially, but if the password is being rotated using the built in jamf toolset, then using it to unlock the Mac at the FV2 login screen or using it for the purpose of re-issuing a FileVault Recovery key will be impossible. FV2 won't ever know what the new password is for the account when it gets rotated outside of normal conditions. It will only remember the original password it was enabled with. And thus can't be used to re-issue a key since the script would need to pass the correct password to the fdesetup command to do that.