Don't let your users get locked out.
Disclaimer: think this through, read the solution. In this blog I am sharing a solution with fellow IT pros. I am offering insight into what I did to solve this issue for my own clients when I have encountered it, I am not telling you to do the same. iLogix Computer Solutions are not accountable for any issues introduced.
Scenario: You have FileVault enabled on your Macs through JAMF Pro with our Recovery Key Escrowed to JAMF Pro. This means you can help a user should they forget their Mac password and are unable to unlock their FileVault enabled Mac. FileVault will ensure that if the Mac is lost or stolen the users data will not be compromised.
We have created policies and profiles to force FileVault on our Macs in JAMF Pro.
However in JAMF Pro the inventory for some computers shows the following under inventory / Disk Encryption:
Where is the recovery key? this is serious as it could result in dataloss.
Solution: Create a bash script in JAMF Pro. Read through the script here and make any changes you need. It should not need much if any editing.
#!/bin/bash #################################################################################################### # # Copyright (c) 2017, JAMF Software, LLC. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the JAMF Software, LLC nor the # names of its contributors may be used to endorse or promote products # derived from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #################################################################################################### # # Description # # The purpose of this script is to allow a new individual recovery key to be issued # if the current key is invalid and the management account is not enabled for FV2, # or if the machine was encrypted outside of the JSS. # # First put a configuration profile for FV2 recovery key redirection in place. # Ensure keys are being redirected to your JSS. # # This script will prompt the user for their password so a new FV2 individual # recovery key can be issued and redirected to the JSS. # #################################################################################################### # # HISTORY # # -Created by Sam Fortuna on Sept. 5, 2014 # -Updated by Sam Fortuna on Nov. 18, 2014 # -Added support for 10.10 # -Updated by Sam Fortuna on June 23, 2015 # -Properly escapes special characters in user passwords # -Updated by Bram Cohen on May 27, 2016 # -Pipe FV key and password to /dev/null # -Updated by Jordan Wisniewski on Dec 5, 2016 # -Removed quotes for 'send {${userPass}} ' so # passwords with spaces work. # -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017 # - Fixed an issue with usernames that contain # sub-string matches of each other. # -Updated by Bram Cohen on Jan 3, 2018 # - 10.13 adds a new prompt for username before password in changerecovery # -Updated by Matt Boyle on July 6, 2018 # - Error handeling, custom Window Lables, Messages and FV2 Icon # -Updated by David Raabe on July 26, 2018 # - Added Custom Branding to pop up windows # -Updated by Sebastien Del Saz Alvarez on January 22, 2021 # -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur #################################################################################################### # # Parameter 4 = Set organization name in pop up window # Parameter 5 = Failed Attempts until Stop # Parameter 6 = Custom text for contact information. # Parameter 7 = Custom Branding - Defaults to Self Service Icon #Customizing Window selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns" fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" if [ ! -z "$4" ] then orgName="$4 -" fi if [ ! -z "$6" ] then haltMsg="$6" else haltMsg="Please Contact IT for Further assistance." fi if [[ ! -z "$7" ]]; then brandIcon="$7" elif [[ -f $selfServiceBrandIcon ]]; then brandIcon=$selfServiceBrandIcon elif [[ -f $jamfBrandIcon ]]; then brandIcon=$jamfBrandIcon else brandIcon=$fileVaultIcon fi ## Get the logged in user's name userName=$(/usr/bin/stat -f%Su /dev/console) ## Grab the UUID of the User userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}') ## Get the OS build BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}` ## This first user check sees if the logged in account is already authorized with FileVault 2 userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'` if [ "${userCheck}" != "${userName}" ]; then echo "This user is not a FileVault 2 enabled user." exit 3 fi ## Counter for Attempts try=0 if [ ! -z "$5" ] then maxTry=$5 else maxTry=2 fi ## Check to see if the encryption process is complete encryptCheck=`fdesetup status` statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") expectedStatus="FileVault is On." if [ "${statusCheck}" != "${expectedStatus}" ]; then echo "The encryption process has not completed." echo "${encryptCheck}" exit 4 fi passwordPrompt () { ## Get the logged in user's password via a prompt echo "Prompting ${userName} for their login password." userPass=$(/usr/bin/osascript -e " on run display dialog \"To generate a new FileVault key\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"$orgName FileVault Key Reset\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer set userPass to text returned of the result return userPass end run") if [ "$?" == "1" ] then echo "User Canceled" exit 0 fi try=$((try+1)) if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \"Enter a password for '/', or the recovery key:\" send {${userPass}} send \r log_user 1 expect eof " >> /dev/null) elif [[ $BUILD -ge 17 ]]; then result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \"Enter the user name:\" send {${userName}} send \r expect \"Enter a password for '/', or the recovery key:\" send {${userPass}} send \r log_user 1 expect eof ") else echo "OS version not 10.9+ or OS version unrecognized" echo "$(/usr/bin/sw_vers -productVersion)" exit 5 fi } successAlert () { /usr/bin/osascript -e " on run display dialog \"\" & return & \"Your FileVault Key was successfully Changed\" with title \"$orgName FileVault Key Reset\" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\" end run" } errorAlert () { /usr/bin/osascript -e " on run display dialog \"FileVault Key not Changed\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" end run" if [ "$?" == "1" ] then echo "User Canceled" exit 0 else try=$(($try+1)) fi } haltAlert () { /usr/bin/osascript -e " on run display dialog \"FileVault Key not changed\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" end run " } while true do passwordPrompt if [[ $result = *"Error"* ]] then echo "Error Changing Key" if [ $try -ge $maxTry ] then haltAlert echo "Quitting.. Too Many failures" exit 0 else echo $result errorAlert fi else echo "Successfully Changed FV2 Key" successAlert exit 0 fi done |
We add our script here.
Create a smart computer group in JAMF Pro to target any computer that does not have its recovery key available in JAMF Pro.
Create a policy scoped to this Smart Group and add the bash script to it. Publish it in Self Service.
Ask your users to run this script.
Next time we check our inventory we will be able to reveal the FileVault Recovery Key.
iLogix Computer Solutions are Apple and JAMF Certified. We support more than just your Mac hardware. Call us for more information and of course call us for help.
Mac support Basingstoke - Mac support Guildford - Mac support Farnborough
Mac support Reading - Mac support Camberley - Mac support Yateley
iLogix Computer Solutions - 01252 962898