- Jamf Nation Community
- Products
- Jamf Pro
- Login Script to check if enabled for FV2 and Enabl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-16-2018 03:00 AM
I have been baking my noodle on this one for a while now to see if can come up with a Login script that will take the $3 variable from Jamf and compare it with the "fdesetup list" and if the user is not on it, to add them, and either pop up a second password box, or take the one they entered on login and automate it.
Nobody but IT can create local users on our machines, so the idea is that when a new AD user logs in and gets their Mobile Account created, it instantly adds them to FV2.
I just cannot get my head around structuring the output of fdesetup list so i can get if else check set up that will work, before i even get to using the data to add to the FV2 list.
Thoughts anyone ?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2018 08:29 AM
In place now, thanks to all
Below is the script i use, thanks to all who's work i have modified to get this working
########################################################################################
# Description
This script was designed to enable the currently logged in user's account the ability to unlock
a drive that was originally encrypted with the management account using a policy from the JSS.
The script will prompt the user for their credentials.
# This script was designed to be run via policy at login or via Self Service. The encryption
process must be fully completed before this script can be successfully executed.
########################################################################################
## Self Service policy to add the logged in user to the enabled list
of FileVault 2 users.
Pass the credentials for an admin account that is authorized with FileVault 2
adminName=$4
adminPass=$5
Outputs a Blank Line For Reporting Purposes
echo
if [ "${adminName}" == "" ]; then
echo "Username undefined. Please pass the management account username in parameter 4"
exit 1
fi
if [ "${adminPass}" == "" ]; then
echo "Password undefined. Please pass the management account password in parameter 5"
exit 2
fi
Get the logged in user's name
userName=$3
Get the OS version
OS=/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}
This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=fdesetup list | awk -v usrN="${userName}" -F, 'index($0, usrN) {print $1}'
echo User Logging In = $userName
echo Current FileVault User List = $userCheck
IFS="
"
Outputs a Blank Line For Reporting Purposes
echo
echo First Check Start
for user in $userCheck
do
# Outputs a Blank Line For Reporting Purposes
echo
echo Checking User Logging in $userName against $user
# Outputs a Blank Line For Reporting Purposes
echo
if [ "${user}" == "${userName}" ]; then
echo "User "${userName}" is already added to the FileVault 2 list."
exit 0
fi
done
echo First Check End
Outputs a Blank Line For Reporting Purposes
echo
Check to see if the encryption process is complete
encryptCheck=fdesetup status
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed, unable to add user at this time."
echo "${encryptCheck}"
exit 4
fi
Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass="$(osascript -e 'Tell application "System Events" to display dialog "Your account cannot unlock this Computer after a reboot.
Please enter your login password to enable this." default answer "" with title "Startup Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
Outputs a Blank Line For Reporting Purposes
echo echo "Adding User "${userName}" to FileVault 2 list."
echo "<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Username</key><string>"$adminName"</string><key>Password</key><string>"$adminPass"</string><key>AdditionalUsers</key><array><dict><key>Username</key><string>"$userName"</string><key>Password</key><string>"$userPass"</string></dict></array></dict></plist>" | fdesetup add -inputplist
Outputs a Blank Line For Reporting Purposes
echo
This second user check sees if the logged in account was successfully added to the FileVault 2 list
userCheck=fdesetup list | awk -v usrN="${userName}" -F, 'index($0, usrN) {print $1}'
IFS="
"
echo Second Check Start
for user in $userCheck
do
# Outputs a Blank Line For Reporting Purposes
echo
echo Checking User Logging in $userName against $user
# Outputs a Blank Line For Reporting Purposes
echo
if [ "${user}" == "${userName}" ]; then
echo "${userName} is on the FileVault 2 list."
exit 0
fi
done
echo Second Check End
Outputs a Blank Line For Reporting Purposes
echo
echo "Failed to add user to FileVault 2 list."
echo "Currently enabled users:"
echo "${userCheck}"
exit 6
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-16-2018 07:02 AM
Are you running macOS 10.12 or 10.13? If you are running 10.12 or below this workflow does the job (https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/addCurrentUser.sh) but requires a FileVault admin username and password and prompting the user for their password. 10.13 is a different can of worms as it introduces SecureTokens but it is possible with a modified version of the script.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2018 08:29 AM
In place now, thanks to all
Below is the script i use, thanks to all who's work i have modified to get this working
########################################################################################
# Description
This script was designed to enable the currently logged in user's account the ability to unlock
a drive that was originally encrypted with the management account using a policy from the JSS.
The script will prompt the user for their credentials.
# This script was designed to be run via policy at login or via Self Service. The encryption
process must be fully completed before this script can be successfully executed.
########################################################################################
## Self Service policy to add the logged in user to the enabled list
of FileVault 2 users.
Pass the credentials for an admin account that is authorized with FileVault 2
adminName=$4
adminPass=$5
Outputs a Blank Line For Reporting Purposes
echo
if [ "${adminName}" == "" ]; then
echo "Username undefined. Please pass the management account username in parameter 4"
exit 1
fi
if [ "${adminPass}" == "" ]; then
echo "Password undefined. Please pass the management account password in parameter 5"
exit 2
fi
Get the logged in user's name
userName=$3
Get the OS version
OS=/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}
This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=fdesetup list | awk -v usrN="${userName}" -F, 'index($0, usrN) {print $1}'
echo User Logging In = $userName
echo Current FileVault User List = $userCheck
IFS="
"
Outputs a Blank Line For Reporting Purposes
echo
echo First Check Start
for user in $userCheck
do
# Outputs a Blank Line For Reporting Purposes
echo
echo Checking User Logging in $userName against $user
# Outputs a Blank Line For Reporting Purposes
echo
if [ "${user}" == "${userName}" ]; then
echo "User "${userName}" is already added to the FileVault 2 list."
exit 0
fi
done
echo First Check End
Outputs a Blank Line For Reporting Purposes
echo
Check to see if the encryption process is complete
encryptCheck=fdesetup status
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then
echo "The encryption process has not completed, unable to add user at this time."
echo "${encryptCheck}"
exit 4
fi
Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass="$(osascript -e 'Tell application "System Events" to display dialog "Your account cannot unlock this Computer after a reboot.
Please enter your login password to enable this." default answer "" with title "Startup Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
Outputs a Blank Line For Reporting Purposes
echo echo "Adding User "${userName}" to FileVault 2 list."
echo "<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Username</key><string>"$adminName"</string><key>Password</key><string>"$adminPass"</string><key>AdditionalUsers</key><array><dict><key>Username</key><string>"$userName"</string><key>Password</key><string>"$userPass"</string></dict></array></dict></plist>" | fdesetup add -inputplist
Outputs a Blank Line For Reporting Purposes
echo
This second user check sees if the logged in account was successfully added to the FileVault 2 list
userCheck=fdesetup list | awk -v usrN="${userName}" -F, 'index($0, usrN) {print $1}'
IFS="
"
echo Second Check Start
for user in $userCheck
do
# Outputs a Blank Line For Reporting Purposes
echo
echo Checking User Logging in $userName against $user
# Outputs a Blank Line For Reporting Purposes
echo
if [ "${user}" == "${userName}" ]; then
echo "${userName} is on the FileVault 2 list."
exit 0
fi
done
echo Second Check End
Outputs a Blank Line For Reporting Purposes
echo
echo "Failed to add user to FileVault 2 list."
echo "Currently enabled users:"
echo "${userCheck}"
exit 6
