- Jamf Nation Community
- Products
- Jamf Pro
- Reporting un-encrypted removable external drives.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Reporting un-encrypted removable external drives.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-01-2016 11:13 AM
Security has asked for a report of our Macs that have un-encrypted removable external drives. At first I thought I could get this from a smart group or an Advanced Computer Search, but so far I have been unsuccessful. Any ideas on how that can be done?
Labels:
- Labels:
-
FileVault 2
-
Inventory (OS X)
-
Jamf Pro
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-01-2016 01:18 PM
This script will list all disks which are not encrypted on the Mac. You can set 'skipBootDisk' to 'yes' or 'no' as below. It'll return all disks which are connected to the machine and are not encrypted. Note if you run this as an Extension attribute, then data will change based on when it runs and what is connected then.
#!/bin/sh
#Todd Houle
#1Sept2016
#set to yes or no. if yes, then boot disk will not be listed if it's unencrypted
skipBootDisk="no"
#################################
if [ $skipBootDisk == "yes" ]; then
bootDisk=$(diskutil info /|awk '/Device Node/{print $NF}')
else
bootDisk="yomomma"
fi
#clear the array
NOTENCRYPTEDDISKS=()
diskList=$(df -h|awk '/^//{print $1}')
for oneDisk in $diskList; do
csStatus=$(diskutil cs info $oneDisk 2>/dev/null|awk '/Conversion State/{print $NF}')
if [ -z $csStatus ]; then
if [ $skipBootDisk == "yes" ] && [ $oneDisk == $bootDisk ]; then
echo "skipping boot disk of $oneDisk"
else
NOTENCRYPTEDDISKS+=($oneDisk)
fi
fi
done
echo "<result>"
for aDisk in "${NOTENCRYPTEDDISKS[@]}"; do
diskName=$(diskutil info $aDisk|awk -F: '/Volume Name/{print $2}')
diskNameNWS=$(echo "${diskName}" |sed -e 's/^[[:space:]]*//')
echo "$diskNameNWS"
done
echo "</result>"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-01-2016 02:40 PM
Thanks Todd!
How can I narrow the result to (external, physical) ? in testing the script is listing disk images, and internal non boot drives. I've tried to figure out how to modify your script to this but so far all I have done is break it.
I'll test this some more and run this as an Extension attribute with a smart group to email mail me when a computer is added to the group. This should give me the data I need to built a report and an opportunity to work with the client to remediate the issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-01-2016 03:53 PM
@burdett Here's a modified version of Todd's script above, which adds/changes just a couple of things.
First, it checks to see if the disk is a mounted disk image before trying to assess the encryption status. Its really just another nested if/then block being added for that. The relevant line is:
if [[ $(diskutil info $oneDisk | awk -F':' '/Protocol/{print $NF}' | sed 's/^ *//') != "Disk Image" ]]; thenWhich checks to see if diskutil returns a "Disk Image" on the line that shows the mounted disk "Protocol" in the output. If it is a disk image, it skips checking the encryption status and moves on to the next disk in the list.
Second, I changed the way it echoes the final results so its building the final array up front, rather than doing it later between the echo tags. Functionally there is really no difference between them. It just makes it a little more compact is all.
#!/bin/sh
#Todd Houle
#1Sept2016
# Modified my Mike Morales
#set to yes or no. if yes, then boot disk will not be listed if it's unencrypted
skipBootDisk="no"
#################################
if [ $skipBootDisk == "yes" ]; then
bootDisk=$(diskutil info /|awk '/Device Node/{print $NF}')
else
bootDisk="yomomma"
fi
#clear the array
NOTENCRYPTEDDISKS=()
diskList=$(df -h|awk '/^//{print $1}')
for oneDisk in $diskList; do
if [[ $(diskutil info $oneDisk | awk -F: '/Protocol/{print $NF}' | sed 's/^ *//') != "Disk Image" ]]; then
csStatus=$(diskutil cs info $oneDisk 2>/dev/null|awk '/Conversion State/{print $NF}')
if [ -z $csStatus ]; then
if [ $skipBootDisk == "yes" ] && [ $oneDisk == $bootDisk ]; then
echo "skipping boot disk of $oneDisk"
else
diskName=$(diskutil info $oneDisk | awk -F: '/Volume Name/{print $NF}' | sed 's/^ *//')
NOTENCRYPTEDDISKS+=("$diskName")
fi
fi
fi
done
echo "<result>$(printf '%s
' "${NOTENCRYPTEDDISKS[@]}")</result>"This should exclude mounted Disk Images, but still include USB, Thunderbolt, Firewire, etc drives, as well as any other internally installed drives/partitions other than the main boot volume.
BTW, nice script @thoule. Definitely a useful EA script.
Though I'm not sure about that yomomma reference ;-)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-01-2016 03:59 PM
Actually I just realized you also wanted to exclude internal drives? Is that right? If so, that would involve another check. I'll modify it to include that as well and post back in a bit.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-02-2016 06:23 AM
Thanks for the updates, Mike. I've added those lines to, optionally, skip Internal disks.
#!/bin/sh
#Todd Houle
#1Sept2016
# List unencrypted disks. Skips mounted DMGs.
# Modified my Mike Morales
# Remodified by Todd
#set to yes or no.
skipBootDisk="no"
skipInternal="no"
#################################
if [ $skipBootDisk == "yes" ]; then
bootDisk=$(diskutil info /|awk '/Device Node/{print $NF}')
else
bootDisk="yomomma"
fi
#clear the array
NOTENCRYPTEDDISKS=()
diskList=$(df -h|awk '/^//{print $1}')
for oneDisk in $diskList; do
isInternal=$(diskutil info $oneDisk | awk -F: '/Device Location/{print $NF}' | sed 's/^ *//')
if [ "$isInternal" == "Internal" ] && [ "$skipInternal" == "yes" ]; then
echo "skipping internal $oneDisk"
else
if [[ $(diskutil info $oneDisk | awk -F: '/Protocol/{print $NF}' | sed 's/^ *//') != "Disk Image" ]]; then
csStatus=$(diskutil cs info $oneDisk 2>/dev/null|awk '/Conversion State/{print $NF}')
if [ -z $csStatus ]; then
if [ $skipBootDisk == "yes" ] && [ $oneDisk == $bootDisk ]; then
echo "skipping boot disk of $oneDisk"
else
diskName=$(diskutil info $oneDisk | awk -F: '/Volume Name/{print $NF}' | sed 's/^ *//')
NOTENCRYPTEDDISKS+=("$diskName")
fi
fi
fi
fi
done
echo "<result>$(printf '%s
' "${NOTENCRYPTEDDISKS[@]}")</result>"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2019 03:27 AM
To make this script more practical would it be possible to run a check in anytime a usb device is connected to the machine?
