-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreissue_filevault_recovery_key.sh
151 lines (119 loc) · 6.42 KB
/
reissue_filevault_recovery_key.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/bash
###
#
# Name: reissue_filevault_recovery_key.sh
# Description: This script is intended to run on Macs which no longer have
# a valid recovery key in the JSS. It prompts users to enter
# their Mac password, and uses this password to send a new
# FileVault key to the JSS. The "redirect FileVault keys to
# JSS" configuration profile must already be deployed in order
# for this script to work correctly.
# Author: Elliot Jordan <[email protected]>
# Created: 2015-01-05
# Last Modified: 2015-05-19
# Version: 1.3
#
###
################################## VARIABLES ###################################
COMPANY_NAME="Concur"
# Your company's logo, in PNG format. (For use in jamfHelper messages.)
# Use standard UNIX path format: /path/to/file.png
LOGO_PNG="/Library/Application Support/Concur/concurlogo1.png"
# Your company's logo, in ICNS format. (For use in AppleScript messages.)
# Use colon-separated AppleScript path format, omit leading colon: path:to:file.icns
LOGO_ICNS="Library:Application Support:Concur:concurlogo1.icns"
# The title of the message that will be displayed to the user. Not too long, or it'll get clipped.
PROMPT_HEADING="Reissue FileVault 2 Key"
# The body of the message that will be displayed to the user.
PROMPT_MESSAGE="Your Mac's FileVault encryption key needs to be regenerated in order for $COMPANY_NAME IT to be able to recover your hard drive in case of emergency.
Click the Next button below, then enter your Mac's password when prompted."
# Path to jamfHelper.
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
################################################################################
######################### DO NOT EDIT BELOW THIS LINE ##########################
################################################################################
######################## VALIDATION AND ERROR CHECKING #########################
# Suppress errors for the duration of this script.
exec 2>/dev/null
# Make sure the custom logo has been received successfully
if [[ ! -f "/${LOGO_ICNS//://}" ]]; then
echo "[ERROR] Custom icon not present: /${LOGO_ICNS//://}"
exit 1001
fi
# Most of the code below is based on the JAMF reissueKey.sh script:
# https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh
# Check the OS version.
OS_major=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}')
OS_minor=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $2}')
if [[ "$OS_major" -ne 10 || "$OS_minor" -lt 9 ]]; then
echo "[ERROR] OS version not 10.9+ or OS version unrecognized."
/usr/bin/sw_vers -productVersion
exit 1003
fi
# Check to see if the encryption process is complete
encryptCheck="$(/usr/bin/fdesetup status)"
if [[ "$(echo "${encryptCheck}" | grep -c "Encryption in progress")" -gt 0 ]]; then
echo "[ERROR] The encryption process is still in progress."
echo "${encryptCheck}"
exit 1004
elif [[ "$(echo "${encryptCheck}" | grep -c "FileVault is Off")" -gt 0 ]]; then
echo "[ERROR] Encryption is not active."
echo "${encryptCheck}"
exit 1005
elif [[ "$(echo "${encryptCheck}" | grep -c "FileVault is On")" -eq 0 ]]; then
echo "[ERROR] Unable to determine encryption status."
echo "${encryptCheck}"
exit 1006
fi
# Get the logged in user's name
userName="$(/usr/bin/stat -f%Su /dev/console)"
currentUser=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')
# This first user check sees if the logged in account is already authorized with FileVault 2
userCheck="$(/usr/bin/fdesetup list)"
echo "$userCheck" | egrep -q "^${userName},"
if [[ $? -ne 0 ]]; then
echo "[ERROR] $userName is not on the list of FileVault enabled users:"
echo "$userCheck"
exit 1002
fi
################################# MAIN PROCESS #################################
# Display a branded prompt explaining the password prompt.
echo "Alerting user ${userName} about incoming password prompt..."
"$jamfHelper" -windowType hud -windowPosition ur -lockHUD -icon "$LOGO_PNG" -heading "$PROMPT_HEADING" -description "$PROMPT_MESSAGE" -button1 "Next" -defaultButton 1 -startlaunchd
# Get the logged in user's password via a prompt
echo "Prompting ${userName} for their Mac password..."
userPass="$(/usr/bin/osascript -e 'tell application "System Events" to display dialog "Please enter your Mac password:" default answer "" with title "'"${COMPANY_NAME//\"/\\\"}"' IT encryption key repair" with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${LOGO_ICNS//\"/\\\"}"'"' -e 'text returned of result')"
# Thanks to James Barclay for this password validation loop.
TRY=1
until dscl /Search -authonly "$userName" "$userPass" &> /dev/null; do
(( TRY++ ))
echo "Prompting ${userName} for their Mac password (attempt $TRY)..."
userPass="$(/usr/bin/osascript -e 'tell application "System Events" to display dialog "Sorry, that password was incorrect. Please try again:" default answer "" with title "'"${COMPANY_NAME//\"/\\\"}"' IT encryption key repair" with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${LOGO_ICNS//\"/\\\"}"'"' -e 'text returned of result')"
if [[ $TRY -ge 5 ]]; then
echo "[ERROR] Password prompt unsuccessful after 5 attempts."
exit 1007
fi
done
echo "Successfully prompted for Mac password."
echo "Unloading FDERecoveryAgent..."
launchctl unload /System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist
echo "Issuing new recovery key..."
fdesetup changerecovery -verbose -personal -inputplist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>$userName</string>
<key>Password</key>
<string>$userPass</string>
</dict>
</plist>
EOF
if [[ $? -ne 0 ]]; then
echo "[WARNING] fdesetup did not return exit code 0."
fi
echo "Loading FDERecoveryAgent..."
# `fdesetup changerecovery` should do this automatically, but just in case...
launchctl load /System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist &>/dev/null
exit 0