search

dayglojesus / managedmac

Comprehensive Puppet module for OS X.
http://dayglojesus.github.io/managedmac/
Apache License 2.0
62 stars 21 forks source link

managedmac::filevault should support new Yosemite options #52

Open dayglojesus opened 9 years ago

dayglojesus commented 9 years ago

There are a whack of new FV2 toys in Yosemite. Make this class support those params.

dayglojesus commented 9 years ago

Tried this...

$content = [
  {
    'Defer'                         => true,
    'Enable'                        => 'On',
    'OutputPath'                    => '/private/var/root/fdesetup_output.plist',
    'PayloadType'                   => 'com.apple.MCX.FileVault2',
    'ShowRecoveryKey'               => false,
    'UseKeychain'                   => true,
    'UseRecoveryKey'                => true,
    'AskAtUserLoginMaxBypassValue'  => 7,
    'DontAskAtUserLogout'           => true,
    'ForceRestart'                  => true,
  },
  {
    'DestroyFVKeyOnStandby' => false,
    'PayloadType'           => 'com.apple.MCX',
    'dontAllowFDEDisable'   => false,
  },
]

mobileconfig { 'managedmac.filevault.alacarte':
  ensure            => present,
  content           => $content,
  description       => 'FileVault 2 configuration. Installed by Puppet.',
  displayname       => 'Managed Mac: FileVault 2',
  organization      => 'Simon Fraser University',
  removaldisallowed => false,
}

But the new keys AskAtUserLoginMaxBypassValue, DontAskAtUserLogout and ForceRestart are not supported by the Apple profiles schema...

bash-3.2# fdesetup showdeferralinfo
{
    Defer = 1;
    OutputPath = "/private/var/root/fdesetup_output.plist";
    UseKeychain = 1;
}

Implementing these new keys will require some kind of "reach around".

Profiles are so the worst.