Created
November 8, 2017 12:47
-
-
Save fuzzylogiq/0a0612cabee02bf91cbce9716ee56207 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# FileVaultSetup.sh | |
# | |
# Copyright (c) University of Oxford 2017 | |
# Ben Goodstein <ben.goodstein(at)it.ox.ac.uk> | |
# | |
# This script is designed to switch on deferred FileVault enablement for the | |
# currently logged in user, provided they are not one of our known | |
# admin accounts (to ensure the end user can unlock the disk). It first | |
# checks that FV is not on, or decrypting, or waiting for restart, then that | |
# we have a suitable user in the console session and then turns on FV for | |
# console user, using cocoaDialog to inform them and to log them out so FV | |
# encryption can take place. | |
# | |
# It is used in conjunction with a smart group in the JSS that detects if a | |
# MacBook is currently unencrypted and an ongoing policy to run this script | |
# | |
# Debug | |
# | |
# set -x | |
COCOADIALOG=/Applications/Utilities/cocoaDialog.app/Contents/MacOS/cocoaDialog | |
FDESETUP=/usr/bin/fdesetup | |
LOGGEDINUSER=$(/usr/bin/who | grep -v _mbsetupuser | /usr/bin/awk '/console/ {print $1}') | |
FDESTATUS=$(fdesetup status) | |
DISK0=$(/usr/sbin/diskutil list /dev/disk0) | |
JAMF=/usr/local/jamf/bin/jamf | |
OUTSETDIR=/usr/local/outset | |
RECONSCRIPT="${OUTSETDIR}/boot-once/recon.sh" | |
read -r -d '' OUTSETSCRIPT<<EOF | |
#!/bin/bash | |
"${JAMF}" recon | |
EOF | |
# Remove deferral info on exit, this should be escrowed anyway | |
die() { | |
rm -f /tmp/pk.plist | |
echo "${2}" | |
exit "${1}" | |
} | |
# Check if we have CocoaDialog | |
if [ ! -f "${COCOADIALOG}" ]; then | |
die 1 "CocoaDialog is not present." | |
fi | |
# Check if we have outset | |
if [ ! -d "${OUTSETDIR}" ]; then | |
die 1 "Outset is not present." | |
fi | |
# Check if we have a recovery partition | |
if echo "${DISK0}" | grep -q Recovery\ HD; then | |
: | |
else | |
die 1 "No Recovery HD Present, FileVault cannot proceed." | |
fi | |
if echo "${FDESTATUS}" | grep -q On; then | |
# We probably shouldn't have run so do a recon at this point | |
"${JAMF}" recon >/dev/null 2>&1 | |
die 0 "FileVault is On!" | |
fi | |
if echo "${FDESTATUS}" | grep -q Decryption; then | |
die 0 "We are currently decrypting!" | |
fi | |
if echo "${FDESTATUS}" | grep -q restarted; then | |
die 0 "Waiting for restart." | |
fi | |
if [ -z "${LOGGEDINUSER}" ]; then | |
die 0 "Nobody is logged in yet!" | |
fi | |
if [ "${LOGGEDINUSER}" == "xxx" ] || \ | |
[ "${LOGGEDINUSER}" == "yyy" ] || \ | |
[ "${LOGGEDINUSER}" == "zzz" ]; then | |
die 0 "Logged in user is not the end user. Filevault encryption cannot take place." | |
else | |
echo "End user logged in - proceeding." | |
fi | |
fdeoutput=$("${FDESETUP}" enable -quiet -defer /tmp/pk.plist -personal) | |
if [ $? == 0 ]; then | |
if [ "$("${COCOADIALOG}" msgbox --title "FileVault Encryption Required" --text "Protect the data on this computer against theft or loss." --informative-text "A logout is required to start the encryption process. You will be able to save your work. | |
After logging out, you will be asked for your password, then the computer will restart and you will need to log in again. Encryption will then happen automatically." --button1 "Log out" --icon-file /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns)" == "1" ]; then | |
echo "${OUTSETSCRIPT}" > "${RECONSCRIPT}" && chmod 0755 "${RECONSCRIPT}" | |
/usr/bin/osascript -e 'tell app "loginwindow" to «event aevtrlgo»' | |
fi | |
else | |
die 1 "${fdeoutput}" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment