Skip to content

Instantly share code, notes, and snippets.

@fuzzylogiq

fuzzylogiq/FileVaultSetup.sh

Created November 8, 2017 12:47
Show Gist options
  • Save fuzzylogiq/0a0612cabee02bf91cbce9716ee56207 to your computer and use it in GitHub Desktop.
Save fuzzylogiq/0a0612cabee02bf91cbce9716ee56207 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FileVaultSetup.sh
#!/bin/bash
#
# FileVaultSetup.sh
#
# Copyright (c) University of Oxford 2017
# Ben Goodstein <ben.goodstein(at)it.ox.ac.uk>
#
# This script is designed to switch on deferred FileVault enablement for the
# currently logged in user, provided they are not one of our known
# admin accounts (to ensure the end user can unlock the disk). It first
# checks that FV is not on, or decrypting, or waiting for restart, then that
# we have a suitable user in the console session and then turns on FV for
# console user, using cocoaDialog to inform them and to log them out so FV
# encryption can take place.
#
# It is used in conjunction with a smart group in the JSS that detects if a
# MacBook is currently unencrypted and an ongoing policy to run this script
#
# Debug
#
# set -x
COCOADIALOG=/Applications/Utilities/cocoaDialog.app/Contents/MacOS/cocoaDialog
FDESETUP=/usr/bin/fdesetup
LOGGEDINUSER=$(/usr/bin/who | grep -v _mbsetupuser | /usr/bin/awk '/console/ {print $1}')
FDESTATUS=$(fdesetup status)
DISK0=$(/usr/sbin/diskutil list /dev/disk0)
JAMF=/usr/local/jamf/bin/jamf
OUTSETDIR=/usr/local/outset
RECONSCRIPT="${OUTSETDIR}/boot-once/recon.sh"
read -r -d '' OUTSETSCRIPT<<EOF
#!/bin/bash
"${JAMF}" recon
EOF
# Remove deferral info on exit, this should be escrowed anyway
die() {
rm -f /tmp/pk.plist
echo "${2}"
exit "${1}"
}
# Check if we have CocoaDialog
if [ ! -f "${COCOADIALOG}" ]; then
die 1 "CocoaDialog is not present."
fi
# Check if we have outset
if [ ! -d "${OUTSETDIR}" ]; then
die 1 "Outset is not present."
fi
# Check if we have a recovery partition
if echo "${DISK0}" | grep -q Recovery\ HD; then
:
else
die 1 "No Recovery HD Present, FileVault cannot proceed."
fi
if echo "${FDESTATUS}" | grep -q On; then
# We probably shouldn't have run so do a recon at this point
"${JAMF}" recon >/dev/null 2>&1
die 0 "FileVault is On!"
fi
if echo "${FDESTATUS}" | grep -q Decryption; then
die 0 "We are currently decrypting!"
fi
if echo "${FDESTATUS}" | grep -q restarted; then
die 0 "Waiting for restart."
fi
if [ -z "${LOGGEDINUSER}" ]; then
die 0 "Nobody is logged in yet!"
fi
if [ "${LOGGEDINUSER}" == "xxx" ] || \
[ "${LOGGEDINUSER}" == "yyy" ] || \
[ "${LOGGEDINUSER}" == "zzz" ]; then
die 0 "Logged in user is not the end user. Filevault encryption cannot take place."
else
echo "End user logged in - proceeding."
fi
fdeoutput=$("${FDESETUP}" enable -quiet -defer /tmp/pk.plist -personal)
if [ $? == 0 ]; then
if [ "$("${COCOADIALOG}" msgbox --title "FileVault Encryption Required" --text "Protect the data on this computer against theft or loss." --informative-text "A logout is required to start the encryption process. You will be able to save your work.
After logging out, you will be asked for your password, then the computer will restart and you will need to log in again. Encryption will then happen automatically." --button1 "Log out" --icon-file /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns)" == "1" ]; then
echo "${OUTSETSCRIPT}" > "${RECONSCRIPT}" && chmod 0755 "${RECONSCRIPT}"
/usr/bin/osascript -e 'tell app "loginwindow" to «event aevtrlgo»'
fi
else
die 1 "${fdeoutput}"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment