├── .gitignore
├── DiskEncrypter.sh
├── Images
├── DiskEncrypter_1.png
├── DiskEncrypter_2.png
├── DiskEncrypter_3.png
└── jamfpro_custom_apps_and_settings.png
├── LICENSE
├── README.md
├── com.custom.diskencrypter.json
└── com.custom.volumewatcher.plist
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/DiskEncrypter.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Created by Thijs Xhaflaire, on 01/10/2022
4 | # Modified on 12/07/2023
5 |
6 | ## Managed Preferences
7 | ## The function readSetting is reading the settingsPlist and the configured key, if there is no key value pair then we are using the $2 default value.
8 | settingsPlist="/Library/Managed Preferences/com.custom.diskencrypter.plist"
9 |
10 | readSetting() {
11 | # $1: key
12 | # $2: default (optional)
13 | local key=$1
14 | local defaultValue=$2
15 |
16 | if ! value=$( /usr/libexec/PlistBuddy -c "Print :$key" "$settingsPlist" 2>/dev/null ); then
17 | value="$defaultValue"
18 | fi
19 | echo "$value"
20 | }
21 |
22 | readSettingsFile(){
23 | ## Read the rest of the settings and set defaults
24 |
25 | ## USER NOTIFICATION SETTINGS
26 | ## This script will use the 'swiftDialog' tool to display an information window to the end-user about the event. A signed and notarised version of this application can be downloaded from https://github.com/bartreardon/swiftDialog/releases and should be present on the device in order for it to be used.
27 | ## Set whether which notifications you want to generate to the end user.
28 | ## "yes" = the user will be notified
29 | ## "no" = the user will not be notified and actions will be skipped
30 | notifyUser=$( readSetting notifyUser "yes" )
31 | notifyUserHint=$( readSetting notifyUserHint "yes" )
32 |
33 | ## Set to yes to configure a download and installtion of swiftDialog if the binary is not installed at the notificationApp location
34 | downloadSwiftDialog=$( readSetting downloadSwiftDialog "yes" )
35 |
36 | ## General swiftDialog Settings
37 | notificationApp=$( readSetting notificationApp "/usr/local/bin/dialog" )
38 |
39 | ## swiftDialog Customization ##
40 | companyName=$( readSetting companyName "Jamf" )
41 | iconPath=$( readSetting iconPath "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" )
42 | batteryIconPath=$( readSetting batteryIconPath "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns")
43 |
44 | ## General text section
45 | title=$( readSetting title "Unencrypted Removable Media Device detected" )
46 |
47 | subTitleBattery=$( readSetting subTitleBattery "The Mac is not connected to AC Power and therefore the removable media device can't be encrypted, plug in the AC adapter and try again")
48 | batteryExitMainButton=$( readSetting batteryExitMainButton "Quit" )
49 |
50 | subTitlePassword=$( readSetting subTitlePassword "Writing files to unencrypted removable media devices is not allowed, encrypt the disk in order to allow writing files. securely store the password and in case of loss the data will be unaccesible!" )
51 | mainButtonLabelPassword=$( readSetting mainButtonLabelPassword "Continue" )
52 |
53 | subTitleConversion=$( readSetting subTitleConversion "Writing files to unencrypted removable media devices is not allowed, encrypt the disk in order to allow writing files. we need to convert this volume to APFS before encryption. Securely store the password and in case of loss the data will be unaccesible!" )
54 | mainButtonLabelConversion=$( readSetting mainButtonLabelConversion "Convert" )
55 |
56 | subTitleEXFAT=$( readSetting subTitleEXFAT "Writing files to unencrypted removable media devices is not allowed, encrypt the disk in order to allow writing files. As this volume type does not support conversion or encryption we need to erase the volume. all existing content will be erased!!!. Securely store the password and in case of loss the data will be unaccesible!" )
57 | mainButtonLabelEXFAT=$( readSetting mainButtonLabelEXFAT "Erase existing data and encrypt" )
58 |
59 | exitButtonLabel=$( readSetting exitButtonLabel "Eject" )
60 |
61 | ## Password text and REGEX requirements
62 | secondTitlePassword=$( readSetting secondTitlePassword "Enter the password you want to use to encrypt the removable media" )
63 | placeholderPassword=$( readSetting placeholderPassword "Enter password here" )
64 | secondaryButtonLabelPassword=$( readSetting secondaryButtonLabelPassword "Mount as read-only" )
65 | passwordRegex=$( readSetting passwordRegex "^[^\s]{4,}$" )
66 | passwordRegexErrorMessage=$( readSetting passwordRegexErrorMessage "The provided password does not meet the requirements, please use at leasts 4 characters" )
67 |
68 | ## Hint text and REGEX requirements
69 | subTitleHint=$( readSetting subTitleHint "Optionally you can specify a hint, a password hint is a sort of reminder that helps the user remember their password." )
70 | mainButtonLabelHint=$( readSetting mainButtonLabelHint "Encrypt" )
71 | secondaryButtonLabelHint=$( readSetting secondaryButtonLabelHint "Encrypt w/o hint" )
72 | secondTitleHint=$( readSetting secondTitleHint "Enter the hint you want to set" )
73 | placeholderHint=$( readSetting placeholderHint "Enter hint here" )
74 | hintRegex=$( readSetting hintRegex "^[^\s]{6,}$" )
75 | hintRegexErrorMessage=$( readSetting hintRegexErrorMessage "The provided hint does not meet the requirements, please use a stronger hint that contains 6 characters" )
76 |
77 | ## Progress bar text
78 | titleProgress=$( readSetting titleProgress "Disk Encryption Progress" )
79 | subTitleProgress=$( readSetting subTitleProgress "Please wait while the external disk is being encrypted." )
80 | mainButtonLabelProgress=$( readSetting mainButtonLabelProgress "Exit" )
81 |
82 | }
83 |
84 | ###########################################
85 | ############ Do not edit below ############
86 | ###########################################
87 |
88 | ## Script variables
89 | loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
90 | ExternalDisks=$(diskutil list external physical | grep "/dev/disk" | awk '{print $1}')
91 |
92 | readSettingsFile
93 |
94 | ## Check if the mounted External Disk is external, physical and continue
95 | if [[ -z $ExternalDisks ]]; then
96 | echo "no external disks mounted"
97 | logger "DiskEncrypter: no external disks mounted"
98 | exit 0
99 | else
100 | ## Echo external disk mounted
101 | echo "external disk mounted"
102 | logger "DiskEncrypter: external disk mounted"
103 |
104 | ## Loop through Storage Volume Types
105 | StorageType=$(diskutil list "$ExternalDisks")
106 |
107 | if [[ $StorageType =~ "Apple_APFS" ]]; then
108 | echo "The external media volume type is APFS"
109 | logger "DiskEncrypter: The external media volume type is APFS"
110 | StorageType='APFS'
111 |
112 | ## Check the DiskID of the APFS container and report the encryption state
113 | DiskID=$(diskutil list "$ExternalDisks" | grep -o '\(Container disk[0-9s]*\)' | awk '{print $2}')
114 | echo "Disk ID is $DiskID"
115 | logger "DiskEncrypter: Disk ID is $DiskID"
116 | VolumeID=$(df -h | grep "$DiskID" |awk '{print $1}' | sed 's|^/dev/||')
117 | echo "$VolumeID"
118 | FileVaultStatus=$(diskutil apfs list "$DiskID" | grep "FileVault:" | awk '{print $2}')
119 |
120 | ## If the APFS Container is not encrypted, run workflow
121 | if [ $StorageType == "APFS" ] && [ "$FileVaultStatus" == "Yes" ]; then
122 | echo "FileVault is enabled on $DiskID, exiting.."
123 | logger "DiskEncrypter: FileVault is enabled on $DiskID, exiting.."
124 | exit 0
125 | else
126 | echo "FileVault is disabled on $DiskID, running encryption workflow"
127 | logger "DiskEncrypter: FileVault is disabled on $DiskID, running encryption workflow"
128 |
129 | # Mounting disk as read-only
130 | diskutil unmountDisk "$VolumeID"
131 | diskutil mount readonly "$VolumeID"
132 |
133 | # Downloading and installing swiftDialog if not existing
134 | if [[ "$downloadSwiftDialog" == "yes" ]] && [[ ! -f "$notificationApp" ]]; then
135 |
136 | echo "swiftDialog not installed, downloading and installing"
137 | logger "DiskEncrypter: swiftDialog not installed, downloading and installing"
138 |
139 | expectedDialogTeamID="PWA5E9TQ59"
140 | LOCATION=$(/usr/bin/curl -s https://api.github.com/repos/bartreardon/swiftDialog/releases/latest | grep browser_download_url | grep .pkg | grep -v debug | awk '{ print $2 }' | sed 's/,$//' | sed 's/"//g')
141 | /usr/bin/curl -L "$LOCATION" -o /tmp/swiftDialog.pkg
142 |
143 | # Verify the download
144 | teamID=$(/usr/sbin/spctl -a -vv -t install "/tmp/swiftDialog.pkg" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()')
145 |
146 | # Install the package if Team ID validates
147 | if [ "$expectedDialogTeamID" = "$teamID" ] || [ "$expectedDialogTeamID" = "" ]; then
148 | echo "swiftDialog Team ID verification succeeded"
149 | logger "DiskEncrypter: swiftDialog Team ID verification succeeded"
150 | /usr/sbin/installer -pkg /tmp/swiftDialog.pkg -target /
151 | else
152 | echo "swiftDialog Team ID verification failed."
153 | logger "DiskEncrypter: swiftDialog Team ID verification failed."
154 | exit 1
155 | fi
156 |
157 | # Cleaning up the swiftDialog.pkg
158 | /bin/rm /tmp/swiftDialog.pkg
159 |
160 | fi
161 |
162 | ## Checking if the Mac is connected to AC Power or draining on the battery
163 | if [[ $(pmset -g ps | head -1) =~ "AC Power" ]]; then
164 | echo "Device is connected to AC Power, proceeding.."
165 | logger "DiskEncrypter: "Device is connected to AC Power, proceeding.." "
166 | else
167 | echo "Device is connected to battery and not charging, exiting"
168 | logger "DiskEncrypter: "Device is connected to battery and not charging, exiting""
169 | dialog=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleBattery" --button1text "$batteryExitMainButton" --icon "$batteryIconPath")
170 | exit 1
171 | fi
172 |
173 | ## Generate notification and ask for password for encryption or mount volume as read-only
174 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]] && [[ "$FileVaultStatus" == "No" ]]; then
175 | dialog=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitlePassword" --button1text "$mainButtonLabelPassword" --button2text "$secondaryButtonLabelPassword" --infobuttontext "$exitButtonLabel" --quitoninfo --icon "$iconPath" --textfield "$secondTitlePassword",prompt="$placeholderPassword",regex="$passwordRegex",regexerror="$passwordRegexErrorMessage",secure=true,required=yes)
176 | fi
177 |
178 | case $? in
179 | 0)
180 | Password=$(echo "$dialog" | grep "$secondTitlePassword" | awk -F " : " '{print $NF}' &)
181 |
182 | ## Generate notification and ask if we want to specify a hint
183 | if [[ "$notifyUserHint" == "yes" ]] && [[ -f "$notificationApp" ]] && [[ "$FileVaultStatus" == "No" ]]; then
184 | Passphrase=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleHint" --button1text "$mainButtonLabelHint" --button2text "$secondaryButtonLabelHint" --icon "$iconPath" --textfield "$secondTitleHint",prompt="$placeholderHint",regex="$hintRegex",regexerror="$hintRegexErrorMessage" | grep "$secondTitleHint" | awk -F " : " '{print $NF}' &)
185 | fi
186 |
187 | ## Start the encryption of the disk with the provided password, optionally we are configuring a hint as well.
188 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]] && [[ "$Password" != "" ]]; then
189 |
190 | /usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$titleProgress" --message "$subTitleProgress" --icon "$iconPath" --button1text "$mainButtonLabelProgress" --timer 12 &
191 |
192 | diskutil unmountDisk "$VolumeID"
193 | diskutil mount "$VolumeID"
194 | diskutil apfs encryptVolume "$VolumeID" -user "disk" -passphrase "$Password"
195 |
196 | ## If the optional hint has been configured we are going to configure it here after encrypting the disk
197 | if [ "$Passphrase" != "" ]; then
198 | sleep 5
199 | diskutil unmountDisk "$DiskID"
200 | diskutil apfs unlockVolume "$VolumeID" -passphrase "$Password"
201 | diskutil apfs setPassphraseHint "$VolumeID" -user "disk" -hint "$Passphrase"
202 | fi
203 | exit 0
204 | fi
205 | ;;
206 | 2)
207 | echo "$loggedInUser decided mounting $DiskID as read-only"
208 | logger "DiskEncrypter: $loggedInUser decided mounting $DiskID as read-only"
209 | diskutil unmountDisk "$DiskID"
210 | diskutil mount readonly "$VolumeID"
211 | exit 2
212 | ;;
213 | 3)
214 | echo "$loggedInUser dediced to eject $DiskID"
215 | logger "DiskEncrypter: $loggedInUser dediced to eject $DiskID"
216 | diskutil unmountDisk "$DiskID"
217 | exit 3
218 | esac
219 | fi
220 | elif [[ $StorageType =~ "Apple_HFS" ]]; then
221 | echo "The external media type is $StorageType"
222 | logger "DiskEncrypter: The external media type is $StorageType"
223 | StorageType="HFS"
224 |
225 | # Check Encryption State
226 | DiskID="$ExternalDisks"
227 | echo "Disk ID is $DiskID"
228 | logger "DiskEncrypter: Disk ID is $DiskID"
229 | VolumeID=$(df -h | grep "$DiskID" |awk '{print $1}' | sed 's|^/dev/||')
230 | echo "$VolumeID"
231 | FileVaultStatus=$(diskutil list "$DiskID" | grep "FileVault:" | awk '{print $2}')
232 |
233 | ## In case of HFS container, we need to convert it to APFS and have it encrypted
234 | if [ $StorageType == "HFS" ]; then
235 |
236 | # Mounting disk as read-only
237 | diskutil unmountDisk "$DiskID"
238 | diskutil mount readonly "$VolumeID"
239 |
240 | # Downloading and installing swiftDialog if not existing
241 | if [[ "$downloadSwiftDialog" == "yes" ]] && [[ ! -f "$notificationApp" ]]; then
242 |
243 | echo "swiftDialog not installed, downloading and installing"
244 | logger "DiskEncrypter: swiftDialog not installed, downloading and installing"
245 |
246 | expectedDialogTeamID="PWA5E9TQ59"
247 | LOCATION=$(/usr/bin/curl -s https://api.github.com/repos/bartreardon/swiftDialog/releases/latest | grep browser_download_url | grep .pkg | grep -v debug | awk '{ print $2 }' | sed 's/,$//' | sed 's/"//g')
248 | /usr/bin/curl -L "$LOCATION" -o /tmp/swiftDialog.pkg
249 |
250 | # Verify the download
251 | teamID=$(/usr/sbin/spctl -a -vv -t install "/tmp/swiftDialog.pkg" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()')
252 |
253 | # Install the package if Team ID validates
254 | if [ "$expectedDialogTeamID" = "$teamID" ] || [ "$expectedDialogTeamID" = "" ]; then
255 | echo "swiftDialog Team ID verification succeeded"
256 | logger "DiskEncrypter: swiftDialog Team ID verification succeeded"
257 | /usr/sbin/installer -pkg /tmp/swiftDialog.pkg -target /
258 | else
259 | echo "swiftDialog Team ID verification failed."
260 | logger "DiskEncrypter: swiftDialog Team ID verification failed."
261 | exit 1
262 | fi
263 |
264 | # Cleaning up the swiftDialog.pkg
265 | /bin/rm /tmp/swiftDialog.pkg
266 |
267 | fi
268 |
269 | ## Generate notification and ask for password for encryption or mount volume as read-only
270 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]]; then
271 | dialog=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleConversion" --button1text "$mainButtonLabelConversion" --button2text "$secondaryButtonLabelPassword" --infobuttontext "$exitButtonLabel" --quitoninfo --icon "$iconPath" --textfield "$secondTitlePassword",prompt="$placeholderPassword",regex="$passwordRegex",regexerror="$passwordRegexErrorMessage",secure=true,required=yes)
272 | fi
273 |
274 | case $? in
275 | 0)
276 | Password=$(echo "$dialog" | grep "$secondTitlePassword" | awk -F " : " '{print $NF}' &)
277 |
278 | ## Generate notification and ask if we want to specify a hint
279 | if [[ "$notifyUserHint" == "yes" ]] && [[ -f "$notificationApp" ]]; then
280 | Passphrase=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleHint" --button1text "$mainButtonLabelHint" --button2text "$secondaryButtonLabelHint" --icon "$iconPath" --textfield "$secondTitleHint",prompt="$placeholderHint",regex="$hintRegex",regexerror="$hintRegexErrorMessage" | grep "$secondTitleHint" | awk -F " : " '{print $NF}' &)
281 | fi
282 |
283 | ## Start the encryption of the disk with the provided password, optionally we are configuring a hint as well.
284 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]] && [[ "$Password" != "" ]]; then
285 |
286 | /usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$titleProgress" --message "$subTitleProgress" --icon "$iconPath" --button1text "$mainButtonLabelProgress" --timer 12 &
287 |
288 | diskutil unmountDisk "$VolumeID"
289 | diskutil mount "$VolumeID"
290 | diskutil apfs convert "$VolumeID"
291 |
292 | DiskID=$(diskutil list "$ExternalDisks" | grep -o '\(Container disk[0-9s]*\)' | awk '{print $2}')
293 | diskutil apfs encryptVolume "$DiskID"s1 -user "disk" -passphrase "$Password"
294 |
295 | ## If the optional hint has been configured we are going to configure it here after encrypting the disk
296 | if [ "$Passphrase" != "" ]; then
297 | sleep 5
298 | diskutil unmountDisk "$DiskID"
299 | diskutil apfs unlockVolume "$VolumeID" -passphrase "$Password"
300 | diskutil apfs setPassphraseHint "$VolumeID" -user "disk" -hint "$Passphrase"
301 | fi
302 | exit 0
303 | fi
304 | ;;
305 | 2)
306 | echo "$loggedInUser decided mounting $DiskID as read-only"
307 | logger "DiskEncrypter: $loggedInUser decided mounting $DiskID as read-only"
308 | diskutil unmountDisk "$DiskID"
309 | diskutil mount readonly "$VolumeID"
310 | exit 2
311 | ;;
312 | 3)
313 | echo "$loggedInUser dediced to eject $DiskID"
314 | logger "DiskEncrypter: $loggedInUser dediced to eject $DiskID"
315 | diskutil unmountDisk "$DiskID"
316 | exit 3
317 | esac
318 | fi
319 | elif [[ $StorageType =~ "Microsoft Basic Data" ]]; then
320 |
321 | echo "The external media type is Microsoft Basic Data"
322 | logger "DiskEncrypter: The external media type is Microsoft Basic Data"
323 | StorageType="Microsoft Basic Data"
324 |
325 | # Check Encryption State
326 | DiskID="$ExternalDisks"
327 | echo "Disk ID is $DiskID"
328 | logger "DiskEncrypter: Disk ID is $DiskID"
329 | VolumeID=$(df -h | grep "$DiskID" |awk '{print $1}' | sed 's|^/dev/||')
330 | echo "$VolumeID"
331 | volumeName=$(diskutil info "$VolumeID" | grep "Volume Name" | awk '{print $3}')
332 |
333 | ## In case of EXFAT volume, we need to erase it, reformat to APFS and encrypt it
334 | if [[ $StorageType == "Microsoft Basic Data" ]]; then
335 |
336 | # Mounting disk as read-only
337 | diskutil unmountDisk "$DiskID"
338 | diskutil mount readonly "$VolumeID"
339 |
340 | # Downloading and installing swiftDialog if not existing
341 | if [[ "$downloadSwiftDialog" == "yes" ]] && [[ ! -f "$notificationApp" ]]; then
342 |
343 | echo "swiftDialog not installed, downloading and installing"
344 | logger "DiskEncrypter: swiftDialog not installed, downloading and installing"
345 |
346 | expectedDialogTeamID="PWA5E9TQ59"
347 | LOCATION=$(/usr/bin/curl -s https://api.github.com/repos/bartreardon/swiftDialog/releases/latest | grep browser_download_url | grep .pkg | grep -v debug | awk '{ print $2 }' | sed 's/,$//' | sed 's/"//g')
348 | /usr/bin/curl -L "$LOCATION" -o /tmp/swiftDialog.pkg
349 |
350 | # Verify the download
351 | teamID=$(/usr/sbin/spctl -a -vv -t install "/tmp/swiftDialog.pkg" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()')
352 |
353 | # Install the package if Team ID validates
354 | if [ "$expectedDialogTeamID" = "$teamID" ] || [ "$expectedDialogTeamID" = "" ]; then
355 | echo "swiftDialog Team ID verification succeeded"
356 | logger "DiskEncrypter: swiftDialog Team ID verification succeeded"
357 | /usr/sbin/installer -pkg /tmp/swiftDialog.pkg -target /
358 | else
359 | echo "swiftDialog Team ID verification failed."
360 | logger "DiskEncrypter: swiftDialog Team ID verification failed."
361 | exit 1
362 | fi
363 |
364 | # Cleaning up the swiftDialog.pkg
365 | /bin/rm /tmp/swiftDialog.pkg
366 |
367 | fi
368 |
369 | ## Generate notification and ask for password for encryption or mount volume as read-only
370 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]]; then
371 | dialog=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleEXFAT" --button1text "$mainButtonLabelEXFAT" --button2text "$secondaryButtonLabelPassword" --infobuttontext "$exitButtonLabel" --quitoninfo --icon "$iconPath" --textfield "$secondTitlePassword",prompt="$placeholderPassword",regex="$passwordRegex",regexerror="$passwordRegexErrorMessage",secure=true,required=yes) #| grep "$secondTitlePassword" | awk -F " : " '{print $NF}' &)
372 | fi
373 |
374 | case $? in
375 | 0)
376 | Password=$(echo "$dialog" | grep "$secondTitlePassword" | awk -F " : " '{print $NF}' &)
377 |
378 | ## Generate notification and ask if we want to specify a hint
379 | if [[ "$notifyUserHint" == "yes" ]] && [[ -f "$notificationApp" ]]; then
380 | Passphrase=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleHint" --button1text "$mainButtonLabelHint" --button2text "$secondaryButtonLabelHint" --icon "$iconPath" --textfield "$secondTitleHint",prompt="$placeholderHint",regex="$hintRegex",regexerror="$hintRegexErrorMessage" | grep "$secondTitleHint" | awk -F " : " '{print $NF}' &)
381 | fi
382 |
383 | ## Start the erase and encryption of the disk with the provided password, optionally we are configuring a hint as well.
384 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]] && [[ "$Password" != "" ]]; then
385 |
386 | /usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$titleProgress" --message "$subTitleProgress" --icon "$iconPath" --button1text "$mainButtonLabelProgress" --timer 12 &
387 | diskutil eraseDisk APFS "$volumeName" "$DiskID"
388 |
389 | DiskID=$(diskutil list "$ExternalDisks" | grep -o '\(Container disk[0-9s]*\)' | awk '{print $2}')
390 | VolumeID=$(df -h | grep "$DiskID" |awk '{print $1}' | sed 's|^/dev/||')
391 | diskutil apfs encryptVolume "$VolumeID" -user "disk" -passphrase "$Password"
392 |
393 | ## If the optional hint has been configured we are going to configure it here after encrypting the disk
394 | if [ "$Passphrase" != "" ]; then
395 | sleep 5
396 | diskutil unmountDisk "$DiskID"
397 | diskutil apfs unlockVolume "$VolumeID" -passphrase "$Password"
398 | diskutil apfs setPassphraseHint "$VolumeID" -user "disk" -hint "$Passphrase"
399 | fi
400 | exit 0
401 | fi
402 | ;;
403 | 2)
404 | echo "$loggedInUser decided mounting $DiskID as read-only"
405 | logger "DiskEncrypter: $loggedInUser decided mounting $DiskID as read-only"
406 | diskutil unmountDisk "$DiskID"
407 | diskutil mount readonly "$VolumeID"
408 | exit 2
409 | ;;
410 | 3)
411 | echo "$loggedInUser dediced to eject $DiskID"
412 | logger "DiskEncrypter: $loggedInUser dediced to eject $DiskID"
413 | diskutil unmountDisk "$DiskID"
414 | exit 3
415 | esac
416 | fi
417 | elif [[ $StorageType == *"FAT"* ]]; then
418 |
419 | echo "The external media type is FAT"
420 | logger "DiskEncrypter: The external media type is FAT"
421 | StorageType="FAT"
422 |
423 | # Check Encryption State
424 | DiskID="$ExternalDisks"
425 | echo "Disk ID is $DiskID"
426 | logger "DiskEncrypter: Disk ID is $DiskID"
427 | VolumeID=$(df -h | grep "$DiskID" |awk '{print $1}' | sed 's|^/dev/||')
428 | echo "$VolumeID"
429 | volumeName=$(diskutil info "$VolumeID" | grep "Volume Name" | awk '{print $3}')
430 |
431 | ## In case of EXFAT volume, we need to erase it, reformat to APFS and encrypt it
432 | if [[ $StorageType == "FAT" ]]; then
433 |
434 | # Mounting disk as read-only
435 | diskutil unmountDisk "$DiskID"
436 | diskutil mount readonly "$VolumeID"
437 |
438 | # Downloading and installing swiftDialog if not existing
439 | if [[ "$downloadSwiftDialog" == "yes" ]] && [[ ! -f "$notificationApp" ]]; then
440 |
441 | echo "swiftDialog not installed, downloading and installing"
442 | logger "DiskEncrypter: swiftDialog not installed, downloading and installing"
443 |
444 | expectedDialogTeamID="PWA5E9TQ59"
445 | LOCATION=$(/usr/bin/curl -s https://api.github.com/repos/bartreardon/swiftDialog/releases/latest | grep browser_download_url | grep .pkg | grep -v debug | awk '{ print $2 }' | sed 's/,$//' | sed 's/"//g')
446 | /usr/bin/curl -L "$LOCATION" -o /tmp/swiftDialog.pkg
447 |
448 | # Verify the download
449 | teamID=$(/usr/sbin/spctl -a -vv -t install "/tmp/swiftDialog.pkg" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()')
450 |
451 | # Install the package if Team ID validates
452 | if [ "$expectedDialogTeamID" = "$teamID" ] || [ "$expectedDialogTeamID" = "" ]; then
453 | echo "swiftDialog Team ID verification succeeded"
454 | logger "DiskEncrypter: swiftDialog Team ID verification succeeded"
455 | /usr/sbin/installer -pkg /tmp/swiftDialog.pkg -target /
456 | else
457 | echo "swiftDialog Team ID verification failed."
458 | logger "DiskEncrypter: swiftDialog Team ID verification failed."
459 | exit 1
460 | fi
461 |
462 | # Cleaning up the swiftDialog.pkg
463 | /bin/rm /tmp/swiftDialog.pkg
464 |
465 | fi
466 |
467 | ## Generate notification and ask for password for encryption or mount volume as read-only
468 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]]; then
469 | dialog=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleEXFAT" --button1text "$mainButtonLabelEXFAT" --button2text "$secondaryButtonLabelPassword" --infobuttontext "$exitButtonLabel" --quitoninfo --icon "$iconPath" --textfield "$secondTitlePassword",prompt="$placeholderPassword",regex="$passwordRegex",regexerror="$passwordRegexErrorMessage",secure=true,required=yes) #| grep "$secondTitlePassword" | awk -F " : " '{print $NF}' &)
470 | fi
471 |
472 | case $? in
473 | 0)
474 | Password=$(echo "$dialog" | grep "$secondTitlePassword" | awk -F " : " '{print $NF}' &)
475 |
476 | ## Generate notification and ask if we want to specify a hint
477 | if [[ "$notifyUserHint" == "yes" ]] && [[ -f "$notificationApp" ]]; then
478 | Passphrase=$(/usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$title" --message "$subTitleHint" --button1text "$mainButtonLabelHint" --button2text "$secondaryButtonLabelHint" --icon "$iconPath" --textfield "$secondTitleHint",prompt="$placeholderHint",regex="$hintRegex",regexerror="$hintRegexErrorMessage" | grep "$secondTitleHint" | awk -F " : " '{print $NF}' &)
479 | fi
480 |
481 | ## Start the erase and encryption of the disk with the provided password, optionally we are configuring a hint as well.
482 | if [[ "$notifyUser" == "yes" ]] && [[ -f "$notificationApp" ]] && [[ "$Password" != "" ]]; then
483 |
484 | /usr/bin/sudo -u "$loggedInUser" "$notificationApp" --title "$titleProgress" --message "$subTitleProgress" --icon "$iconPath" --button1text "$mainButtonLabelProgress" --timer 12 &
485 | diskutil eraseDisk APFS "$volumeName" "$DiskID"
486 |
487 | DiskID=$(diskutil list "$ExternalDisks" | grep -o '\(Container disk[0-9s]*\)' | awk '{print $2}')
488 | VolumeID=$(df -h | grep "$DiskID" |awk '{print $1}' | sed 's|^/dev/||')
489 | diskutil apfs encryptVolume "$VolumeID" -user "disk" -passphrase "$Password"
490 |
491 | ## If the optional hint has been configured we are going to configure it here after encrypting the disk
492 | if [ "$Passphrase" != "" ]; then
493 | sleep 5
494 | diskutil unmountDisk "$DiskID"
495 | diskutil apfs unlockVolume "$VolumeID" -passphrase "$Password"
496 | diskutil apfs setPassphraseHint "$VolumeID" -user "disk" -hint "$Passphrase"
497 | fi
498 | exit 0
499 | fi
500 | ;;
501 | 2)
502 | echo "$loggedInUser decided mounting $DiskID as read-only"
503 | logger "DiskEncrypter: $loggedInUser decided mounting $DiskID as read-only"
504 | diskutil unmountDisk "$DiskID"
505 | diskutil mount readonly "$VolumeID"
506 | exit 2
507 | ;;
508 | 3)
509 | echo "$loggedInUser dediced to eject $DiskID"
510 | logger "DiskEncrypter: $loggedInUser dediced to eject $DiskID"
511 | diskutil unmountDisk "$DiskID"
512 | exit 3
513 | esac
514 | fi
515 | fi
516 | fi
--------------------------------------------------------------------------------
/Images/DiskEncrypter_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/txhaflaire/DiskEncrypter/5db25b6b42deedc73f063e7d61a6810e5939ce96/Images/DiskEncrypter_1.png
--------------------------------------------------------------------------------
/Images/DiskEncrypter_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/txhaflaire/DiskEncrypter/5db25b6b42deedc73f063e7d61a6810e5939ce96/Images/DiskEncrypter_2.png
--------------------------------------------------------------------------------
/Images/DiskEncrypter_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/txhaflaire/DiskEncrypter/5db25b6b42deedc73f063e7d61a6810e5939ce96/Images/DiskEncrypter_3.png
--------------------------------------------------------------------------------
/Images/jamfpro_custom_apps_and_settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/txhaflaire/DiskEncrypter/5db25b6b42deedc73f063e7d61a6810e5939ce96/Images/jamfpro_custom_apps_and_settings.png
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Thijs Xhaflaire
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Disk Encrypter - Encrypt unencrypted removable storage devices
2 |
3 | This repository provides a `LaunchDaemon` based workflow using `StartOnMount` monitoring new `Volumes` being mounted on the macOS endpoint, once a new volume mount has been detected by the `LaunchDaemon` it triggers the `DiskEncrypter.sh` script to provide a end-user driven workflow to have the removable media devices encrypted or automatically mounted as `read-only`.
4 |
5 | This workflow could help any organisation by preventing loss of corporate data on to unencrypted removable storage devices and provide guided end-users workflows to have the storage devices encrypted in an automated fashion.
6 |
7 | Please read through and test this script intensively prior adding it to your production environment, as in some cases the end-user agree's to erase the external disk and losing it's contents stored on it.
8 |
9 | This workflow has been tested against
10 | - macOS Sonoma Beta 3 (23A5286g)
11 | - macOS Ventura 13.0 (22A380)
12 | - macOS Monterey 12.6 (21G115)
13 |
14 | ## Dependencies
15 | The workflows relies on swiftDialog, the preference is that it is already pre-installed but within the script we do provide checks to download and install it if it's not existing on the endpoint.
16 |
17 | - [SwiftDialog](https://github.com/bartreardon/swiftDialog/releases)
18 | - swiftDialog includes options to enforce a password and hint complexity requirements based on a REGEX string which can be customised by using the `JSON` schema uploaded into Jamf Pro
19 | - Tested with the latest release of swiftDialog v1.X and 2.0.1
20 |
21 | ## Workflow Steps
22 |
23 | Steps to create the workflow:
24 |
25 | - [ ] Jamf Pro / MDM - Distribute [swiftDialog](https://github.com/bartreardon/swiftDialog/releases) to the macOS endpoints
26 | - [ ] Jamf Pro / MDM - Upload and configure the [`JSON`](./com.custom.diskencrypter.json) schema for the Managed Preferences `com.custom.diskencrypter` in to [Jamf Pro Configuration Profiles Custon Applications & Settings](https://docs.jamf.com/technical-papers/jamf-pro/json-schema/10.26.0/JSON_Schema_Manifest_Structure.html)
27 | - [ ] Jamf Pro / MDM - Distribute the DiskEncrypter.pkg contained in Releases
28 | - This distributes the script, the LaunchDaemon and loads it as well.
29 |
30 | ## Components
31 | ### LaunchDaemon
32 |
33 | by installing the provided package in this repository we are distributing the `com.custom.volumewatcher` `LaunchDaemon` and loading with by using `launchctl`. This `LaunchDaemon` monitors the /volumes/ folder on changes and runs the `ProgramArguments` in case changes happens.
34 |
35 | ```
36 |
37 |
38 |
39 |
40 | Label
41 | com.custom.volumewatcher
42 | OnDemand
43 |
44 | ProgramArguments
45 |
46 | /bin/sh
47 | /Library/Application Support/Custom/DiskEncrypter.sh
48 |
49 | StartOnMount
50 |
51 |
52 |
53 |
54 | ```
55 |
56 | ### Script
57 |
58 | On detection of a new volume being mounted in `Volumes` the `LaunchDaemon` triggers the [`DiskEncrypter.sh`](./DiskEncrypter.sh) which does the following
59 |
60 | - Checks if the mounted volumes are external and removable
61 | - if external and removable checks the storage type (APFS, HFS, Microsoft Basic Data)
62 | - Based on the Volume Storage Type it checks if the volume is encrypted or not encrypted with FileVault
63 | - In case of being not encrypted we mount it as read-only right away to prevent loss of data and it triggers swiftDialog and generates end-user worksflows to encrypt the removable media by setting a password that does needs to match a password and hint requirement that can be configured using the JSON schema. (default 4 characters)
64 | - The end-user is able to mount the disk as read-only, eject or continue with the encryption workflow
65 | - In case of APFS the volume is being encrypted with no loss of existing data
66 | - In case of HFS the volume is being converted to APFS and being encrypted with no loss of existing data
67 | - In case of Microsoft Basic Data (NTFS) we warn the user that we need to **erase** the disk and change the storage type to APFS and we are **losing existing content of the disk**
68 | - to do on this workflow is archive existing content if it does exist on the volume, erase, convert and encrypt the disk and restore existing content
69 |
70 | ### Logging
71 |
72 | DiskEncrypter writes to the macOS Unified Log, use the following command to filter the Unified Logs.
73 |
74 | ```log show --predicate 'process == "logger" AND eventMessage contains "DiskEncrypter:"'```
75 |
76 | ### Optional Workflow Components
77 |
78 | #### Jamf Protect
79 |
80 | - The built-in Analytic `USBInserted` can be used alongside this workflow to monitor on USB Inserted activity
81 | - A custom Analytic can be created to monitor the LaunchDaemon being unloaded and the end-user or malicious attacker trying to bypass the provided workflows.
82 | - Sensor Type: `File Event`
83 | - Predicate:
84 |
85 | ### Screenshots
86 |
87 | 
88 | 
89 | 
90 |
91 | 
92 |
93 | ### credits
94 |
95 | - First and foremost to bartreardon and community for developing swiftDialog
96 | - Secondly @mvandbent reviewing and providing me with some extra idea's to add
97 |
98 | #
99 | #### Please note that all resources contained within this repository are provided as-is and are not officially supported.
100 |
--------------------------------------------------------------------------------
/com.custom.diskencrypter.json:
--------------------------------------------------------------------------------
1 | {
2 | "title": "com.custom.diskencrypter",
3 | "description": "",
4 | "properties": {
5 | "mainButtonLabelConversion": {
6 | "title": "Conversion Button Text",
7 | "description": "Configures a custom text value for the main button in the password dialog popup where the storage type volume is HFS and we need to convert the volume. (Default Convert)",
8 | "property_order": 5,
9 | "anyOf": [
10 | {"type": "null", "title": "Not Configured"},
11 | {
12 | "title": "Configured",
13 | "type": "string"
14 | }
15 | ]
16 | },
17 | "title": {
18 | "title": "Title",
19 | "description": "Configures a custom Title for the dialog popup",
20 | "property_order": 10,
21 | "anyOf": [
22 | {"type": "null", "title": "Not Configured"},
23 | {
24 | "title": "Configured",
25 | "type": "string"
26 | }
27 | ]
28 | },
29 | "subTitleEXFAT": {
30 | "title": "Erase EXFAT Volume Text",
31 | "description": "Configures a custom text value for the dialog that notifies the user that the removable disk is not encrypted and the storage type is Microsoft Visual Data, in order to encrypt it we need to erase the disk and we lose all existing content.",
32 | "property_order": 15,
33 | "anyOf": [
34 | {"type": "null", "title": "Not Configured"},
35 | {
36 | "title": "Configured",
37 | "type": "string"
38 | }
39 | ]
40 | },
41 | "notifyUser": {
42 | "title": "Generate end-user notifications",
43 | "description": "Configures if we want to notify the user. default is true",
44 | "property_order": 20,
45 | "anyOf": [
46 | {"type": "null", "title": "Not Configured"},
47 | {
48 | "title": "Configured",
49 | "type": "string",
50 | "options": {
51 | "enum_titles": ["yes", "no"]
52 | },
53 | "enum": ["yes", "no"]
54 | }
55 | ]
56 | },
57 | "placeholderPassword": {
58 | "title": "Password Placeholder Text",
59 | "description": "Configures a custom password placeholder for the dialog popup",
60 | "property_order": 25,
61 | "anyOf": [
62 | {"type": "null", "title": "Not Configured"},
63 | {
64 | "title": "Configured",
65 | "type": "string"
66 | }
67 | ]
68 | },
69 | "subTitleProgress": {
70 | "title": "Progress Bar Text",
71 | "description": "Configures a custom text value for the Disk encryption Progress in the dialog popup",
72 | "property_order": 30,
73 | "anyOf": [
74 | {"type": "null", "title": "Not Configured"},
75 | {
76 | "title": "Configured",
77 | "type": "string"
78 | }
79 | ]
80 | },
81 | "secondaryButtonLabelHint": {
82 | "title": "Hint Secondary Button Text",
83 | "description": "Configures a custom text value for the secondary button in the hint dialog popup",
84 | "property_order": 35,
85 | "anyOf": [
86 | {"type": "null", "title": "Not Configured"},
87 | {
88 | "title": "Configured",
89 | "type": "string"
90 | }
91 | ]
92 | },
93 | "subTitlePassword": {
94 | "title": "Password Description Text",
95 | "description": "Configures a custom text value for the dialog that notifies the user that the removable disk is not encrypted.",
96 | "property_order": 40,
97 | "anyOf": [
98 | {"type": "null", "title": "Not Configured"},
99 | {
100 | "title": "Configured",
101 | "type": "string"
102 | }
103 | ]
104 | },
105 | "iconPath": {
106 | "title": "Icon Path",
107 | "description": "Configures a custom icon path for within the dialog pop-ups. (default uses FileVault icon)",
108 | "property_order": 45,
109 | "anyOf": [
110 | {"type": "null", "title": "Not Configured"},
111 | {
112 | "title": "Configured",
113 | "type": "string"
114 | }
115 | ]
116 | },
117 | "notificationApp": {
118 | "title": "swiftDialog Path",
119 | "description": "Sets a custom path of the binary. default is /usr/local/bin/dialog",
120 | "property_order": 50,
121 | "anyOf": [
122 | {"type": "null", "title": "Not Configured"},
123 | {
124 | "title": "Configured",
125 | "type": "string"
126 | }
127 | ]
128 | },
129 | "subTitleHint": {
130 | "title": "Second Hint Text",
131 | "description": "Configures a custom text value for the Hint in the dialog popup",
132 | "property_order": 55,
133 | "anyOf": [
134 | {"type": "null", "title": "Not Configured"},
135 | {
136 | "title": "Configured",
137 | "type": "string"
138 | }
139 | ]
140 | },
141 | "batteryExitMainButton": {
142 | "title": "Exit Button Battery",
143 | "description": "Configure the exit button text once the Mac is not on AC power. default is Exit",
144 | "property_order": 60,
145 | "anyOf": [
146 | {"type": "null", "title": "Not Configured"},
147 | {
148 | "title": "Configured",
149 | "type": "string"
150 | }
151 | ]
152 | },
153 | "notifyUserHint": {
154 | "title": "Allow Hint",
155 | "description": "Allows and generates a additional alert to provide the end-user a option to set a password hint. default is true",
156 | "property_order": 65,
157 | "anyOf": [
158 | {"type": "null", "title": "Not Configured"},
159 | {
160 | "title": "Configured",
161 | "type": "string",
162 | "options": {
163 | "enum_titles": ["yes", "no"]
164 | },
165 | "enum": ["yes", "no"]
166 | }
167 | ]
168 | },
169 | "subTitleBattery": {
170 | "title": "Battery Dialog Text",
171 | "description": "Configures a custom text value when the Mac is not connected to AC power and not able to encrypt removable devices.",
172 | "property_order": 70,
173 | "anyOf": [
174 | {"type": "null", "title": "Not Configured"},
175 | {
176 | "title": "Configured",
177 | "type": "string"
178 | }
179 | ]
180 | },
181 | "passwordRegex": {
182 | "title": "Password Requirements REGEX",
183 | "description": "Configure this if the password does needs to meet a pattern. Set a valid REGEX string. (default requires 4 characters)",
184 | "property_order": 75,
185 | "anyOf": [
186 | {"type": "null", "title": "Not Configured"},
187 | {
188 | "title": "Configured",
189 | "type": "string"
190 | }
191 | ]
192 | },
193 | "passwordRegexErrorMessage": {
194 | "title": "Password Requirement Message",
195 | "description": "Specify the message that a end-user gets when the provided password does not match the requirements",
196 | "property_order": 80,
197 | "anyOf": [
198 | {"type": "null", "title": "Not Configured"},
199 | {
200 | "title": "Configured",
201 | "type": "string"
202 | }
203 | ]
204 | },
205 | "downloadSwiftDialog": {
206 | "title": "Download swiftDialog",
207 | "description": "Configures if swiftDialog needs to be downloaded if not present on endpoint. default is true",
208 | "property_order": 85,
209 | "anyOf": [
210 | {"type": "null", "title": "Not Configured"},
211 | {
212 | "title": "Configured",
213 | "type": "string",
214 | "options": {
215 | "enum_titles": ["yes", "no"]
216 | },
217 | "enum": ["yes", "no"]
218 | }
219 | ]
220 | },
221 | "mainButtonLabelEXFAT": {
222 | "title": "Erase Button Text",
223 | "description": "Configures a custom text value for the main button in the password dialog popup where the storage type volume is Microsoft Visual Data and we need to erase the volume. (Default Erase existing data and encrypt)",
224 | "property_order": 90,
225 | "anyOf": [
226 | {"type": "null", "title": "Not Configured"},
227 | {
228 | "title": "Configured",
229 | "type": "string"
230 | }
231 | ]
232 | },
233 | "hintRegexErrorMessage": {
234 | "title": "Hint Requirements Message",
235 | "description": "Specify a custom message that a end-user gets when the provided hint does not match the requirements",
236 | "property_order": 95,
237 | "anyOf": [
238 | {"type": "null", "title": "Not Configured"},
239 | {
240 | "title": "Configured",
241 | "type": "string"
242 | }
243 | ]
244 | },
245 | "mainButtonLabelProgress": {
246 | "title": "Exit Button Text",
247 | "description": "Configures a custom text value for the exit button in the dialog popup",
248 | "property_order": 100,
249 | "anyOf": [
250 | {"type": "null", "title": "Not Configured"},
251 | {
252 | "title": "Configured",
253 | "type": "string"
254 | }
255 | ]
256 | },
257 | "mainButtonLabelHint": {
258 | "title": "Hint Main Button Text",
259 | "description": "Configures a custom text value for the main button in the hint dialog popup",
260 | "property_order": 105,
261 | "anyOf": [
262 | {"type": "null", "title": "Not Configured"},
263 | {
264 | "title": "Configured",
265 | "type": "string"
266 | }
267 | ]
268 | },
269 | "hintRegex": {
270 | "title": "Hint Requirements REGEX",
271 | "description": "Configure this if the hint does needs to meet a pattern. Set a valid REGEX string. (default requires 6 characters if hint set)",
272 | "property_order": 110,
273 | "anyOf": [
274 | {"type": "null", "title": "Not Configured"},
275 | {
276 | "title": "Configured",
277 | "type": "string"
278 | }
279 | ]
280 | },
281 | "secondTitlePassword": {
282 | "title": "Password Text",
283 | "description": "Configures a custom text value for the password in the dialog popup",
284 | "property_order": 115,
285 | "anyOf": [
286 | {"type": "null", "title": "Not Configured"},
287 | {
288 | "title": "Configured",
289 | "type": "string"
290 | }
291 | ]
292 | },
293 | "exitButtonLabel": {
294 | "title": "Exit Button Text",
295 | "description": "Configures a custom text value for the exit button. default is cancel",
296 | "property_order": 120,
297 | "anyOf": [
298 | {"type": "null", "title": "Not Configured"},
299 | {
300 | "title": "Configured",
301 | "type": "string"
302 | }
303 | ]
304 | },
305 | "batteryIconPath": {
306 | "title": "Battery Icon Path",
307 | "description": "Configures a custom icon path for the dialog warning the user that the Mac is not on AC power. (default uses Stop icon)",
308 | "property_order": 125,
309 | "anyOf": [
310 | {"type": "null", "title": "Not Configured"},
311 | {
312 | "title": "Configured",
313 | "type": "string"
314 | }
315 | ]
316 | },
317 | "secondaryButtonLabelPassword": {
318 | "title": "Password Secondary Button Text",
319 | "description": "Configures a custom text value for the secondary button in the password dialog popup",
320 | "property_order": 130,
321 | "anyOf": [
322 | {"type": "null", "title": "Not Configured"},
323 | {
324 | "title": "Configured",
325 | "type": "string"
326 | }
327 | ]
328 | },
329 | "mainButtonLabelPassword": {
330 | "title": "Password Main Button Text",
331 | "description": "Configures a custom text value for the main button in the password dialog popup (Default Continue)",
332 | "property_order": 135,
333 | "anyOf": [
334 | {"type": "null", "title": "Not Configured"},
335 | {
336 | "title": "Configured",
337 | "type": "string"
338 | }
339 | ]
340 | },
341 | "subTitleConversion": {
342 | "title": "Conversion Dialog Text",
343 | "description": "Configures a custom text value for the dialog that notifies the user that the removable disk is not encrypted and we need to convert it to APFS in order to encrypt it.",
344 | "property_order": 140,
345 | "anyOf": [
346 | {"type": "null", "title": "Not Configured"},
347 | {
348 | "title": "Configured",
349 | "type": "string"
350 | }
351 | ]
352 | },
353 | "titleProgress": {
354 | "title": "Title Progress Bar",
355 | "description": "Configures a custom Title for the Progress Bar dialog popup",
356 | "property_order": 145,
357 | "anyOf": [
358 | {"type": "null", "title": "Not Configured"},
359 | {
360 | "title": "Configured",
361 | "type": "string"
362 | }
363 | ]
364 | }
365 | }
366 | }
--------------------------------------------------------------------------------
/com.custom.volumewatcher.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | com.custom.volumewatcher
7 | OnDemand
8 |
9 | ProgramArguments
10 |
11 | /bin/sh
12 | /Library/Application Support/Custom/DiskEncrypter.sh
13 |
14 | StartOnMount
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------