Help

Filefault implementation sequence, policy of "policies"?

mccallister
Contributor

Posted on ‎03-20-2017 05:39 AM

We had our jumpstart a couple weeks ago and I asked the person about enabling our two IT local admin accounts to unlock the disk after filevault was enabled for the current user. He told us to do the following in sequence:
1. Enable filevault for current user
2. Delete IT account #1
3. Delete IT account #2
4. Create IT account #1 enabling FV2 for account to unlock disk.
5. Create IT account #2 enabling FV2 for account to unlock disk.

For testing, I have a specific scope of test computers and execute each policy in order one at a time manually. Instead of manually running each policy, how to I create a policy that will call up those other policies and in the order I need them run?

0 Kudos
2 REPLIES 2

seann
Contributor

Posted on ‎03-20-2017 06:28 AM

Make unique triggers for each policy, then call them from a script in your all-in-one policy, or from Execute Process.

0 Kudos

a_stonham
Contributor II

Posted on ‎03-20-2017 06:30 PM

You can do the deleting and creation in a single policy.

Use a delete user script like this with a "Before" priority

#!/bin/bash
USR="$4"
if [ "$USR" == "" ]; then
    echo "No user specified"
    exit 1;
fi

echo "Deleting $USR"
dscl localhost delete /Local/Default/Users/$USR

Create a smart group called: FileVault Recovery Key Stored
6988b26c587c40dfa81c09413ace546b

Create a sing policy that runs on re-ocurring check in scoped to the above smart group:
1. Calls delete user script on user A
2. Calls delete user script on user B
3. Recreate User A with FileVault Enabled
4. Recreate User B with FileVault Enabled
5. Enable Management account for FileVault

Within 15 minutes of the recovery key being stored in the JSS you will have your local admin accounts FV enabled. You don't even need an inventory update.

0 Kudos