Skip to content

Instantly share code, notes, and snippets.

@homebysix
Created September 20, 2023 14:31
Show Gist options
  • Save homebysix/41b099cf1f7ff49e0fb286a854b64551 to your computer and use it in GitHub Desktop.
Save homebysix/41b099cf1f7ff49e0fb286a854b64551 to your computer and use it in GitHub Desktop.
Escrow Buddy logout pkginfo for Munki
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>RestartAction</key>
<string>RequireLogout</string>
<key>catalogs</key>
<array>
<string>testing</string>
</array>
<key>category</key>
<string>Support</string>
<key>description</key>
<string>&lt;p&gt;A recovery key for FileVault full-disk encryption needs to
be escrowed for this Mac. Please log out at your earliest convenience.&lt;/p&gt;&lt;br /&gt;
&lt;p&gt;For more information, see this KB article:
&lt;strong&gt;&lt;a href="https://www.betterbag.com/kb/13243546"&gt;"FileVault Escrow"
item appears in Managed Software Center&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</string>
<key>display_name</key>
<string>FileVault Escrow</string>
<key>icon_name</key>
<string>FileVault.png</string>
<key>installcheck_script</key>
<string>#!/bin/bash
# This script detects whether this Mac meets the conditions required to escrow
# a FileVault recovery key at the next login. If so, a nopkg item will be
# displayed in MSC to prompt the user to logout.
# Exit zero if the Mac is ready for logout and escrow, else exit nonzero.
CURRENT_USER=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&amp;&amp;!/loginwindow/{print $3}')
if [[ -z $CURRENT_USER || $CURRENT_USER == "loginwindow" || $CURRENT_USER == "_mbsetupuser" || $CURRENT_USER == "root" ]]; then
echo "Skipping FileVault Escrow helper: No user is logged in."
exit 1
fi
if [[ ! -d "/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle" ]]; then
echo "Skipping FileVault Escrow helper: Escrow Buddy is not installed."
exit 1
fi
if ! profiles -Cv | grep -qE 'type\s+= com.apple.security.FDERecoveryKeyEscrow'; then
echo "Skipping FileVault Escrow helper: FileVault escrow profile is not present."
exit 1
fi
FDESTATUS=$(fdesetup status)
if ! echo "$FDESTATUS" | grep -qi "FileVault is On"; then
echo "Skipping FileVault Escrow helper: FileVault is not enabled."
exit 1
fi
GENERATENEWKEY=$(defaults read /Library/Preferences/com.netflix.Escrow-Buddy GenerateNewKey 2&gt;/dev/null)
if (( GENERATENEWKEY != 1 )); then
echo "Skipping FileVault Escrow helper: FileVault escrow is not needed."
exit 1
fi
echo "FileVault escrow is needed."
exit 0
</string>
<key>installer_type</key>
<string>nopkg</string>
<key>minimum_os_version</key>
<string>10.14.4</string>
<key>name</key>
<string>filevault_escrow_helper</string>
<key>unattended_install</key>
<false/>
<key>version</key>
<string>1.0</string>
</dict>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment