├── README.md ├── decryptDrive.sh ├── addCurrentUser.sh ├── addManagementUser.sh └── reissueKey.sh /README.md: -------------------------------------------------------------------------------- 1 | Copyright (c) 2010, JAMF Software, LLC. All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | * Redistributions of source code must retain the above copyright 6 | notice, this list of conditions and the following disclaimer. 7 | * Redistributions in binary form must reproduce the above copyright 8 | notice, this list of conditions and the following disclaimer in the 9 | documentation and/or other materials provided with the distribution. 10 | * Neither the name of the JAMF Software, LLC nor the 11 | names of its contributors may be used to endorse or promote products 12 | derived from this software without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY 15 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 16 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY 18 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 20 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 21 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 23 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 | -------------------------------------------------------------------------------- /decryptDrive.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #################################################################################################### 4 | # 5 | # Copyright (c) 2013, JAMF Software, LLC. All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # * Redistributions of source code must retain the above copyright 10 | # notice, this list of conditions and the following disclaimer. 11 | # * Redistributions in binary form must reproduce the above copyright 12 | # notice, this list of conditions and the following disclaimer in the 13 | # documentation and/or other materials provided with the distribution. 14 | # * Neither the name of the JAMF Software, LLC nor the 15 | # names of its contributors may be used to endorse or promote products 16 | # derived from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY 19 | # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY 22 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | #################################################################################################### 30 | # 31 | # Description 32 | # This script was designed to decrypt a FV2 encrypted drive. This script must be run 33 | # while a user that is currently enabled for FV2 is logged in. 34 | # 35 | #################################################################################################### 36 | # 37 | # HISTORY 38 | # 39 | # Created by Sam Fortuna on October 16th, 2013 40 | # 41 | #################################################################################################### 42 | 43 | 44 | ## Determine if drive is currently encrypted 45 | fdeStatus=`fdesetup status` 46 | 47 | if [[ "${fdeStatus}" == *"FileVault is Off"* ]]; then 48 | echo "FileVault is not on, exiting now" 49 | exit 1 50 | fi 51 | 52 | ## Get the logged in user's name 53 | userName=$(/usr/bin/stat -f%Su /dev/console) 54 | 55 | ## Check if the currently logged in user is authorized with FileVault 2 56 | userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'` 57 | if [ "${userCheck}" != "${userName}" ]; then 58 | echo "This user is not enabled for FileVault 2 access." 59 | exit 2 60 | fi 61 | 62 | ## Get the logged in user's password via a prompt 63 | echo "Prompting ${userName} for their login password." 64 | userPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')" 65 | 66 | ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output 67 | expect -c " 68 | log_user 0 69 | spawn fdesetup disable 70 | expect \"Enter a password for '/' or recovery key:\" 71 | send ${userPass}\r 72 | log_user 1 73 | expect eof 74 | " 75 | 76 | ## Give decryption a moment to begin and verify its progress 77 | sleep 10 78 | fdeStatus=`fdesetup status` 79 | 80 | if [[ "${fdeStatus}" == *"Decryption"* ]]; then 81 | echo "FileVault is no longer enabled." 82 | exit 0 83 | else 84 | echo "FileVault is On, decryption failed" 85 | echo "Current FV2 Status: ${fdeStatus}" 86 | exit 3 87 | fi 88 | -------------------------------------------------------------------------------- /addCurrentUser.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #################################################################################################### 4 | # 5 | # Copyright (c) 2013, JAMF Software, LLC. All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # * Redistributions of source code must retain the above copyright 10 | # notice, this list of conditions and the following disclaimer. 11 | # * Redistributions in binary form must reproduce the above copyright 12 | # notice, this list of conditions and the following disclaimer in the 13 | # documentation and/or other materials provided with the distribution. 14 | # * Neither the name of the JAMF Software, LLC nor the 15 | # names of its contributors may be used to endorse or promote products 16 | # derived from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY 19 | # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY 22 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | #################################################################################################### 30 | # 31 | # Description 32 | # This script was designed to enable the currently logged in user's account the ability to unlock 33 | # a drive that was originally encrypted with the management account using a policy from the JSS. 34 | # The script will prompt the user for their credentials. 35 | # 36 | # This script was designed to be run via policy at login or via Self Service. The encryption 37 | # process must be fully completed before this script can be successfully executed. 38 | # 39 | #################################################################################################### 40 | # 41 | # HISTORY 42 | # 43 | # -Created by Bryson Tyrrell on November 5th, 2012 44 | # -Updated by Sam Fortuna on July 31, 2013 45 | # -Improved Error Handling 46 | # -Updated by Sam Fortuna on January 14, 2014 47 | # -Added logic for Mavericks OS 48 | # -Updated by Sam Fortuna on December 15, 2014 49 | # -Added logic for Yosemite OS 50 | # -Improved OS vesion handling 51 | # 52 | #################################################################################################### 53 | # 54 | ## Self Service policy to add the logged in user to the enabled list 55 | ## of FileVault 2 users. 56 | 57 | ## Pass the credentials for an admin account that is authorized with FileVault 2 58 | adminName=$4 59 | adminPass=$5 60 | 61 | if [ "${adminName}" == "" ]; then 62 | echo "Username undefined. Please pass the management account username in parameter 4" 63 | exit 1 64 | fi 65 | 66 | if [ "${adminPass}" == "" ]; then 67 | echo "Password undefined. Please pass the management account password in parameter 5" 68 | exit 2 69 | fi 70 | 71 | ## Get the logged in user's name 72 | userName=$(/usr/bin/stat -f%Su /dev/console) 73 | 74 | ## Get the OS version 75 | OS=`/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}` 76 | 77 | ## This first user check sees if the logged in account is already authorized with FileVault 2 78 | userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'` 79 | if [ "${userCheck}" == "${userName}" ]; then 80 | echo "This user is already added to the FileVault 2 list." 81 | exit 3 82 | fi 83 | 84 | ## Check to see if the encryption process is complete 85 | encryptCheck=`fdesetup status` 86 | statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") 87 | expectedStatus="FileVault is On." 88 | if [ "${statusCheck}" != "${expectedStatus}" ]; then 89 | echo "The encryption process has not completed, unable to add user at this time." 90 | echo "${encryptCheck}" 91 | exit 4 92 | fi 93 | 94 | ## Get the logged in user's password via a prompt 95 | echo "Prompting ${userName} for their login password." 96 | userPass="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')" 97 | 98 | echo "Adding user to FileVault 2 list." 99 | 100 | if [[ $OS -lt 8 ]]; then 101 | echo "OS version not 10.8+ or OS version unrecognized" 102 | echo "$(/usr/bin/sw_vers -productVersion)" 103 | exit 5 104 | 105 | elif [[ $OS -eq 8 ]]; then 106 | 107 | ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output 108 | expect -c " 109 | log_user 0 110 | spawn fdesetup add -usertoadd $userName 111 | expect \"Enter the primary user name:\" 112 | send ${adminName}\r 113 | expect \"Enter the password for the user '$adminName':\" 114 | send ${adminPass}\r 115 | expect \"Enter the password for the added user '$userName':\" 116 | send ${userPass}\r 117 | log_user 1 118 | expect eof 119 | " 120 | elif [[ $OS -gt 8 ]]; then 121 | 122 | ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output 123 | expect -c " 124 | log_user 0 125 | spawn fdesetup add -usertoadd $userName 126 | expect \"Enter a password*\" 127 | send ${adminPass}\r 128 | expect \"Enter the password*\" 129 | send ${userPass}\r 130 | log_user 1 131 | expect eof 132 | " 133 | fi 134 | 135 | ## This second user check sees if the logged in account was successfully added to the FileVault 2 list 136 | userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'` 137 | if [ "${userCheck}" != "${userName}" ]; then 138 | echo "Failed to add user to FileVault 2 list." 139 | echo "Currently enabled users:" 140 | echo "${userCheck}" 141 | exit 6 142 | fi 143 | 144 | echo "${userName} has been added to the FileVault 2 list." 145 | 146 | exit 0 147 | -------------------------------------------------------------------------------- /addManagementUser.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #################################################################################################### 4 | # 5 | # Copyright (c) 2013, JAMF Software, LLC. All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # * Redistributions of source code must retain the above copyright 10 | # notice, this list of conditions and the following disclaimer. 11 | # * Redistributions in binary form must reproduce the above copyright 12 | # notice, this list of conditions and the following disclaimer in the 13 | # documentation and/or other materials provided with the distribution. 14 | # * Neither the name of the JAMF Software, LLC nor the 15 | # names of its contributors may be used to endorse or promote products 16 | # derived from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY 19 | # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY 22 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | #################################################################################################### 30 | # 31 | # Description 32 | # This script was designed to enable the managment account the ability to unlock 33 | # a drive that was originally encrypted with the currently logged in user's account. 34 | # The script will prompt the user for their credentials. 35 | # 36 | # This script was designed to be run via policy at login or via Self Service. The encryption 37 | # process must be fully completed before this script can be successfully executed. 38 | # 39 | #################################################################################################### 40 | # 41 | # HISTORY 42 | # 43 | # -Created by Bryson Tyrrell on November 5th, 2012 44 | # -Updated by Sam Fortuna on July 31, 2013 45 | # -Improved Error Handling 46 | # -Updated by Sam Fortuna on January 14, 2014 47 | # -Added logic for Mavericks OS 48 | # -Updated by Sam Fortuna on December 15, 2014 49 | # -Added logic for Yosemite OS 50 | # -Improved OS vesion handling 51 | # 52 | #################################################################################################### 53 | # 54 | ## Self Service policy to add the logged in user to the enabled list 55 | ## of FileVault 2 users. 56 | 57 | ## Pass the credentials for an admin account that is authorized with FileVault 2 58 | adminName=$4 59 | adminPass=$5 60 | 61 | if [ "${adminName}" == "" ]; then 62 | echo "Username undefined. Please pass the management account username in parameter 4" 63 | exit 1 64 | fi 65 | 66 | if [ "${adminPass}" == "" ]; then 67 | echo "Password undefined. Please pass the management account password in parameter 5" 68 | exit 2 69 | fi 70 | 71 | ## Get the logged in user's name 72 | userName=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName` 73 | 74 | ## Get the OS version 75 | OS=`/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}` 76 | 77 | ## This first user check sees if the logged in account is already authorized with FileVault 2 78 | userCheck=`fdesetup list | awk -v usrN="$adminName" -F, 'index($0, usrN) {print $1}'` 79 | if [ "${userCheck}" == "${adminName}" ]; then 80 | echo "This user is already added to the FileVault 2 list." 81 | exit 3 82 | fi 83 | 84 | ## Check to see if the encryption process is complete 85 | encryptCheck=`fdesetup status` 86 | statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") 87 | expectedStatus="FileVault is On." 88 | if [ "${statusCheck}" != "${expectedStatus}" ]; then 89 | echo "The encryption process has not completed, unable to add user at this time." 90 | echo "${encryptCheck}" 91 | exit 4 92 | fi 93 | 94 | ## Get the logged in user's password via a prompt 95 | echo "Prompting ${userName} for their login password." 96 | userPass="$(/usr/bin/osascript -e 'Tell application "System Events" to display dialog "Please enter your login password:" default answer "" with title "Login Password" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')" 97 | 98 | echo "Adding user to FileVault 2 list." 99 | 100 | if [[ $OS -lt 8 ]]; then 101 | echo "OS version not 10.8+ or OS version unrecognized" 102 | echo "$(/usr/bin/sw_vers -productVersion)" 103 | exit 5 104 | 105 | elif [[ $OS -eq 8 ]]; then 106 | 107 | ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output 108 | expect -c " 109 | log_user 0 110 | spawn fdesetup add -usertoadd $adminName 111 | expect \"Enter the primary user name:\" 112 | send ${userName}\r 113 | expect \"Enter the password for the user '$userName':\" 114 | send ${userPass}\r 115 | expect \"Enter the password for the added user '$adminName':\" 116 | send ${adminPass}\r 117 | log_user 1 118 | expect eof 119 | " 120 | elif [[ $OS -gt 8 ]]; then 121 | 122 | ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output 123 | expect -c " 124 | log_user 0 125 | spawn fdesetup add -usertoadd $adminName 126 | expect \"Enter a password*\" 127 | send ${userPass}\r 128 | expect \"Enter the password*\" 129 | send ${adminPass}\r 130 | log_user 1 131 | expect eof 132 | " 133 | fi 134 | 135 | ## This second user check sees if the logged in account was successfully added to the FileVault 2 list 136 | userCheck=`fdesetup list | awk -v usrN="$adminName" -F, 'index($0, usrN) {print $1}'` 137 | if [ "${userCheck}" != "${adminName}" ]; then 138 | echo "Failed to add user to FileVault 2 list." 139 | echo "Currently enabled users:" 140 | echo "${userCheck}" 141 | exit 6 142 | fi 143 | 144 | echo "${adminName} has been added to the FileVault 2 list." 145 | 146 | exit 0 147 | -------------------------------------------------------------------------------- /reissueKey.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #################################################################################################### 4 | # 5 | # Copyright (c) 2017, JAMF Software, LLC. All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # * Redistributions of source code must retain the above copyright 10 | # notice, this list of conditions and the following disclaimer. 11 | # * Redistributions in binary form must reproduce the above copyright 12 | # notice, this list of conditions and the following disclaimer in the 13 | # documentation and/or other materials provided with the distribution. 14 | # * Neither the name of the JAMF Software, LLC nor the 15 | # names of its contributors may be used to endorse or promote products 16 | # derived from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY 19 | # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY 22 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | #################################################################################################### 30 | # 31 | # Description 32 | # 33 | # The purpose of this script is to allow a new individual recovery key to be issued 34 | # if the current key is invalid and the management account is not enabled for FV2, 35 | # or if the machine was encrypted outside of the JSS. 36 | # 37 | # First put a configuration profile for FV2 recovery key redirection in place. 38 | # Ensure keys are being redirected to your JSS. 39 | # 40 | # This script will prompt the user for their password so a new FV2 individual 41 | # recovery key can be issued and redirected to the JSS. 42 | # 43 | #################################################################################################### 44 | # 45 | # HISTORY 46 | # 47 | # -Created by Sam Fortuna on Sept. 5, 2014 48 | # -Updated by Sam Fortuna on Nov. 18, 2014 49 | # -Added support for 10.10 50 | # -Updated by Sam Fortuna on June 23, 2015 51 | # -Properly escapes special characters in user passwords 52 | # -Updated by Bram Cohen on May 27, 2016 53 | # -Pipe FV key and password to /dev/null 54 | # -Updated by Jordan Wisniewski on Dec 5, 2016 55 | # -Removed quotes for 'send {${userPass}} ' so 56 | # passwords with spaces work. 57 | # -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017 58 | # - Fixed an issue with usernames that contain 59 | # sub-string matches of each other. 60 | # -Updated by Bram Cohen on Jan 3, 2018 61 | # - 10.13 adds a new prompt for username before password in changerecovery 62 | # -Updated by Matt Boyle on July 6, 2018 63 | # - Error handeling, custom Window Lables, Messages and FV2 Icon 64 | # -Updated by David Raabe on July 26, 2018 65 | # - Added Custom Branding to pop up windows 66 | # -Updated by Sebastien Del Saz Alvarez on January 22, 2021 67 | # -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur 68 | #################################################################################################### 69 | # 70 | # Parameter 4 = Set organization name in pop up window 71 | # Parameter 5 = Failed Attempts until Stop 72 | # Parameter 6 = Custom text for contact information. 73 | # Parameter 7 = Custom Branding - Defaults to Self Service Icon 74 | #Customizing Window 75 | 76 | selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" 77 | jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns" 78 | fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" 79 | 80 | if [ ! -z "$4" ] 81 | then 82 | orgName="$4 -" 83 | fi 84 | 85 | if [ ! -z "$6" ] 86 | then 87 | haltMsg="$6" 88 | else 89 | haltMsg="Please Contact IT for Further assistance." 90 | fi 91 | 92 | if [[ ! -z "$7" ]]; then 93 | brandIcon="$7" 94 | elif [[ -f $selfServiceBrandIcon ]]; then 95 | brandIcon=$selfServiceBrandIcon 96 | elif [[ -f $jamfBrandIcon ]]; then 97 | brandIcon=$jamfBrandIcon 98 | else 99 | brandIcon=$fileVaultIcon 100 | fi 101 | 102 | 103 | ## Get the logged in user's name 104 | userName=$(/usr/bin/stat -f%Su /dev/console) 105 | 106 | ## Grab the UUID of the User 107 | userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}') 108 | 109 | ## Get the OS build 110 | BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}` 111 | 112 | ## This first user check sees if the logged in account is already authorized with FileVault 2 113 | userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'` 114 | if [ "${userCheck}" != "${userName}" ]; then 115 | echo "This user is not a FileVault 2 enabled user." 116 | exit 3 117 | fi 118 | 119 | ## Counter for Attempts 120 | try=0 121 | if [ ! -z "$5" ] 122 | then 123 | maxTry=$5 124 | else 125 | maxTry=2 126 | fi 127 | 128 | ## Check to see if the encryption process is complete 129 | encryptCheck=`fdesetup status` 130 | statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") 131 | expectedStatus="FileVault is On." 132 | if [ "${statusCheck}" != "${expectedStatus}" ]; then 133 | echo "The encryption process has not completed." 134 | echo "${encryptCheck}" 135 | exit 4 136 | fi 137 | 138 | passwordPrompt () { 139 | ## Get the logged in user's password via a prompt 140 | echo "Prompting ${userName} for their login password." 141 | userPass=$(/usr/bin/osascript -e " 142 | on run 143 | display dialog \"To generate a new FileVault key\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"$orgName FileVault Key Reset\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer 144 | set userPass to text returned of the result 145 | return userPass 146 | end run") 147 | if [ "$?" == "1" ] 148 | then 149 | echo "User Canceled" 150 | exit 0 151 | fi 152 | try=$((try+1)) 153 | if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then 154 | ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output 155 | result=$(expect -c " 156 | log_user 0 157 | spawn fdesetup changerecovery -personal 158 | expect \"Enter a password for '/', or the recovery key:\" 159 | send {${userPass}} 160 | send \r 161 | log_user 1 162 | expect eof 163 | " >> /dev/null) 164 | elif [[ $BUILD -ge 17 ]]; then 165 | result=$(expect -c " 166 | log_user 0 167 | spawn fdesetup changerecovery -personal 168 | expect \"Enter the user name:\" 169 | send {${userName}} 170 | send \r 171 | expect \"Enter a password for '/', or the recovery key:\" 172 | send {${userPass}} 173 | send \r 174 | log_user 1 175 | expect eof 176 | ") 177 | else 178 | echo "OS version not 10.9+ or OS version unrecognized" 179 | echo "$(/usr/bin/sw_vers -productVersion)" 180 | exit 5 181 | fi 182 | } 183 | 184 | successAlert () { 185 | /usr/bin/osascript -e " 186 | on run 187 | display dialog \"\" & return & \"Your FileVault Key was successfully Changed\" with title \"$orgName FileVault Key Reset\" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\" 188 | end run" 189 | } 190 | 191 | errorAlert () { 192 | /usr/bin/osascript -e " 193 | on run 194 | display dialog \"FileVault Key not Changed\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" 195 | end run" 196 | if [ "$?" == "1" ] 197 | then 198 | echo "User Canceled" 199 | exit 0 200 | else 201 | try=$(($try+1)) 202 | fi 203 | } 204 | 205 | haltAlert () { 206 | /usr/bin/osascript -e " 207 | on run 208 | display dialog \"FileVault Key not changed\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" 209 | end run 210 | " 211 | } 212 | 213 | while true 214 | do 215 | passwordPrompt 216 | if [[ $result = *"Error"* ]] 217 | then 218 | echo "Error Changing Key" 219 | if [ $try -ge $maxTry ] 220 | then 221 | haltAlert 222 | echo "Quitting.. Too Many failures" 223 | exit 0 224 | else 225 | echo $result 226 | errorAlert 227 | fi 228 | else 229 | echo "Successfully Changed FV2 Key" 230 | successAlert 231 | exit 0 232 | fi 233 | done 234 | --------------------------------------------------------------------------------