Help

Admin not being enabled for FileVault

diegogut90
New Contributor III

Posted on ‎09-21-2017 08:41 AM

i been having trouble finding a way to enable my admin account to File Vault. i used a script i found here but when it executes then i get his error message. ffcc0cebf4c94411adb833b2bda03496 am i missing something?
below is the script i used:

!/bin/bash

##########################################################################

Enable Local Admin for FileVault 2 Automated

Script Adapted from https://jamfnation.jamfsoftware.com/discussion.html?id=12143

Adapted by Sachin Parmar

Version 1.0

Parameters:

$4 = Management Account Username

$5 = Management Account Password

$6 = Local Admin Username

$7 = Local Admin Password

##########################################################################
##########################################################################

Pass the credentials for an admin account that is authorized with FileVault 2

##########################################################################

adminName=$4
adminPass=$5

if [ "${adminName}" == "" ]; then
echo "Username undefined. Please pass the management account username in parameter 4"
fi

if [ "${adminPass}" == "" ]; then
echo "Password undefined. Please pass the management account password in parameter 5"
fi

##########################################################################

Local Admin Username and Password

##########################################################################

userName=$6
userPass=$7

##########################################################################

Check if Local Admin is enabled for FileVault 2

##########################################################################

userCheck=fdesetup list | awk -v usrN='localadmin' -F, 'index($0, usrN) {print $1}'
if [ "${userCheck}" == "${userName}" ]; then
echo "This user is already added to the FileVault 2"
elif [ "${userCheck}" != "${userName}" ]; then
echo "Local Admin is not enabled for FileVault 2 list"
fi

##########################################################################

Check to see if FileVault 2 is enabled

##########################################################################

encryptCheck=fdesetup status
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
while [ "${statusCheck}" != "${expectedStatus}" ]
do echo "Still encrypting..." if [ "${statusCheck}" == "${expectedStatus}" ] then break fi
done
echo "FileVault Encryption is Complete"

##########################################################################

Create a temporary plist file

##########################################################################

echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminName'</string>
<key>Password</key>
<string>'$adminPass'</string>
<key>AdditionalUsers</key>
<array> <dict> <key>Username</key> <string>'$userName'</string> <key>Password</key> <string>'$userPass'</string> </dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist

echo "created /tmp/fvenable.plist"

##########################################################################

Enable FileVault 2 for Local Admin

##########################################################################

fdesetup add -i < /tmp/fvenable.plist

##########################################################################

Check if Local Admin account has been enabled for FileVault 2

##########################################################################

userCheck=fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'
if [ "${userCheck}" != "${userName}" ]; then
echo "Failed to add user to FileVault 2 list."
elif [ "${userCheck}" == "${userName}" ]; then
echo "Local Admin enabled for FileVault 2"
fi

##########################################################################

Remove temporary plist file

##########################################################################

if [[ -e /tmp/fvenable.plist ]]; then rm /tmp/fvenable.plist
fi
exit 0

7 REPLIES 7

mm2270
Legendary Contributor III

Posted on ‎09-21-2017 08:51 AM

Is your Jamf Pro management account already enabled as a FileVault authorized user? If not, the script won't work because to add any account into FV2, you need the username/password of an account that is already an FV2 enabled user. In fact, the very first line of the script output tells you that

Local Admin is not enabled for FileVault 2 list
0 Kudos

diegogut90
New Contributor III

Posted on ‎09-21-2017 08:58 AM

@mm2270 so when i create the user account, the user account is enabled in FileVault. my Admin account does not get enabled even though it was created first.

0 Kudos

tnielsen
Valued Contributor

Posted on ‎09-21-2017 12:55 PM

It has nothing to do with the order of creation unfortunately. It has everything to do with how filevault is initially enabled.

I find the process to be un-intuitive myself. Bitlocker on the windows side is 10x easier to manage.

Anyway, I suggest you read the documentation on implementing a institutional key and/or making sure casper is the method at which you first enable filevault.

0 Kudos

tnielsen
Valued Contributor

Posted on ‎09-21-2017 12:59 PM

FYI, what I plan on doing is a full scale de-activation/decryption of all our macs and to then re-encrypt/activate them using CAsper.

We were doing manual (scripted) enabling of filevault before we implemented casper, so all the casper tools to manage filevault do not work.

0 Kudos

flyboy
Contributor

Posted on ‎09-22-2017 07:26 AM

@diegogut90, check out my response to a similar posting here. My assumption is that the problem lies in how you are creating your temporary plist. In my experience, attempting to use 'echo' to do it gives inconsistent results from time to time. I suggest you use a Here Document for things like this.

Edit -- One thing to change in that script; you need to change the 'srm' command and the end to a regular rm. Apple dropped support for srm in 10.12.

0 Kudos

diegogut90
New Contributor III

Posted on ‎09-26-2017 07:35 AM

@Berrier i read that in the other post you had that " i have to know the FIlevault password of the account that's already enabled". the thing is that these machines were given out, and i am trying to enable the admin user to Filevault. for some reason when i image the machine the user is the only one to enable to Filevault. so im stuck in both imaging and trying to deploy the policy.any ideas on this would be great on.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎09-26-2017 08:26 AM

@diegogut90 I think you might have to consider enabling the Jamf Pro service/management account for FileVault in your setup, which would then allow you to add in additional accounts to the FV2 authorized list, since Jamf Pro will know the password for the management account. I don't know if there's any other easy way to accomplish this. If only your end users are being prompted to enable FileVault and you don't know their passwords, then adding any other accounts in will be impossible.

0 Kudos