Enable Secure Token For AD Account If we have the username and password of secure token enabled account

Kavya
New Contributor

We are new to Jamf in our environment and we are in the process to enable Disk Encryption . Now we have rolled out disk encryption policies for user on Sierra and high Sierra , where secure token does not have a role .

We have a local account on all the Macs which is having secure token and have the same password for all . I am looking for script with which we can have credentials hardcoded and it should only prompt the login users to enter their account password .

I would really appreciate , if someone could help me here .

6 REPLIES 6

kerouak
Valued Contributor

Here you go....

This will prompt the user for their password and enable secure token

Put the admin details in relevant parmameters in the Policy and add this script.
>>

!/bin/sh

This script is intended to be used with JAMF Self Service. It will enable SecureToken for the currently logged in user account

and either add it to the list of to FileVault enabled users or enable FileVault using a Personal Recovery Key.

Your policy must include script parameters for a SecureToken enabled administrator username and password. For more information

on using script parameters, please see https://www.jamf.com/jamf-nation/articles/146/script-parameters.

v1.2 - added debugging trace messages to confirm progress of script and confirm variables are being correctly passed - by Amos Deane - 13 Sep 2018

v1.3 - corrected userName1

adminUser="$4"
adminPassword="$5"
userName1="$3"
userName2="$6"

Uses AppleScript to prompt the currently logged in user for their account password.

userPassword1=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "To Enable Filevault, Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer
if button returned of result is "Continue" then
set pwd to text returned of result
return pwd
end if
end tell
EOT)

function separationLine {
echo "----------------------------------------------------------------------------------" }

Enables SecureToken for the currently logged in user account.

enableSecureToken() {
separationLine
echo "Enables SecureToken for the currently logged in user account $userName1" sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}

Creates a PLIST containing the necessary administrator and user credentials.

createPlist() {
separationLine
echo "Creating a PLIST containing the necessary administrator and user credentials" echo '<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Username</key> <string>'$adminUser'</string> <key>Password</key> <string>'$adminPassword'</string> <key>AdditionalUsers</key> <array> <dict> <key>Username</key> <string>'$userName1'</string> <key>Password</key> <string>'$userPassword1'</string> </dict> </array> </dict> </plist>' > /private/tmp/userToAdd.plist
}

Adds the currently logged in user to the list of FileVault enabled users.

addUser() {
separationLine
echo "Adding the currently logged in user to the list of FileVault enabled users" sudo fdesetup add -i < /private/tmp/userToAdd.plist
}

Enables FileVault using a Personal Recovery Key.

enableFileVault() {
separationLine
echo "Enabling FileVault using a Personal Recovery Key" sudo fdesetup enable -inputplist < /private/tmp/userToAdd.plist
}

SecureToken enabled users are automatically added to the list of Filevault enabled users when FileVault first is enabled.

Removes the specified user(s) from the list of FileVault enabled users.

removeUser() {
separationLine
echo "Removing the specified user(s) from the list of FileVault enabled users." sudo fdesetup remove -user $adminUser sudo fdesetup remove -user $userName2
}

Update the preboot role volume's subject directory.

updatePreboot() {
separationLine
echo "Updating preboot" diskutil apfs updatePreboot /
}

Deletes the PLIST containing the administrator and user credentials.

cleanUp() {
separationLine
echo "Cleaning up temp files" rm /private/tmp/userToAdd.plist
}

enableSecureToken

createPlist
if [ "$(sudo fdesetup status | head -1)" == "FileVault is On." ]; then
separationLine
echo "Filevault is on - adding to secure token" addUser
else
separationLine
echo "Filevault is off - enabling. Removing user" enableFileVault removeUser
fi
updatePreboot
cleanUp

Kavya
New Contributor

Thanks @kerouak . It worked well for us .

chenhao2018
New Contributor

915cd08fc2af4b3dbcbd7939a0c34ad0
would u please share the code for us @Kavya

KSchroeder
Contributor

@kerouak can you re-post your script with code tags ( triple backticks) around it (or, use the "terminal" icon above the editor, that looks like ">_")? It should make the code much easier to read and copy/paste for others needing the same functionality.

Kavya
New Contributor

@ chenhao2018 ,

We are using this script only to enable secure token . To add the user to filevault and enable filevault we use the policy created on jamf .

Here you go....

This will prompt the user for their password and enable secure token

Put the admin details in relevant parmameters in the Policy and add this script.
>>

!/bin/sh

adminUser="$4"
adminPassword="$5"
userName1="$3"
userName2="$6"

Uses AppleScript to prompt the currently logged in user for their account password.
userPassword1=$(/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "To Enable Filevault, Please enter your login password:" default answer "" buttons {"Continue"} default button 1 with hidden answer
if button returned of result is "Continue" then
set pwd to text returned of result
return pwd
end if
end tell
EOT)

function separationLine {
echo "----------------------------------------------------------------------------------" }

Enables SecureToken for the currently logged in user account.
enableSecureToken() {
separationLine
echo "Enables SecureToken for the currently logged in user account $userName1" sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName1 -password $userPassword1
}
enableSecureToken

Kavya
New Contributor

Hello ,

This script does not validate if the password is entered right for the logged . It takes the wrong password and also changes the password for the account . Is there way we can add validation of password for the logged in user .

Thanks , Kavyashree