homebysix
commented
3 years ago Could you go into more detail on the alias thing? Although this seems harmless, I'd like to be able to recreate the issue to be solved (but I don't have Jamf Connect).
Closed kylejericson closed 1 year ago
homebysix
commented
3 years ago Could you go into more detail on the alias thing? Although this seems harmless, I'd like to be able to recreate the issue to be solved (but I don't have Jamf Connect).
kylejericson
commented
3 years ago @homebysix It seems with Jamf connect when you do a migrate account it just adds an alias to the account name, so when this script runs it pulls that alias instead of the actual username, and then the redirect fails.
homebysix
commented
3 years ago Could you send the output of /bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}' on an affected Mac?
kylejericson
commented
3 years ago Will do.
regorian
commented
2 years ago Don't mean to hijack this issue, but I have also come across this:
I have included the output of the command you provided, and the error message I received when the user attempted to run the policy from Self Service.
`An error occurred while running the policy "Reissue FileVault Key" on the computer "jzhang-FVFYG05VHV2G".
Actions from policy log:
[STEP 1 of 5]
Executing Policy Reissue FileVault Key
[STEP 2 of 5]
Running script Reissue Filevault Recovery Key...
Script exit code: 1
Script result: [WARNING] This script has not been tested on this version of macOS. Use at your own risk.
No logo provided, or no logo exists at specified path. Using FileVault icon.
[ERROR]: jzhang is not on the list of FileVault enabled users: tamuser,034387E9-F150-41C7-AAB0-5FFC081B25F0
jenniferzhang,8BBB65A9-590B-4CB2-9B0E-886327306AA6
Error running script: return code was 1.
[STEP 3 of 5]
[STEP 4 of 5]
Inventory will be updated when all queued actions in Self Service are complete.
[STEP 5 of 5]The complete policy log is available in the JSS at: link to policy log
Computer Info:
ID:
regorian
commented
2 years ago Hi - is there any update to this? My user is still unable to run our filevault-reissue policy. Hoping you have time to review my previous comment
homebysix
commented
2 years ago @regorian - I think your issue falls outside the scope of this script. The current user must be on the list of users you see when you run sudo fdesetup list in order for the subsequent sudo fdesetup changerecovery -personal command to succeed. I might suggest that you contact Jamf to see whether Jamf Connect might be altering the user's shortname in a way that is incompatible with existing FileVault authorization.
kylejericson
commented
2 years ago @regorian easy fix find the current user line in the script and add this.
FAKE_USER=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}') CURRENT_USER=$(id -un $FAKE_USER)
I think I’ll release this script in a Jamf Connect mode so others don’t have this issue.
kylejericson
commented
2 years ago Here is a forked fixed script. @regorian https://github.com/kylejericson/jss-filevault-reissue/blob/jamfconnect/reissue_filevault_recovery_key.sh
homebysix
commented
2 years ago @regorian - Could you try Kyle's modified script above? If it works for you, I can merge the changes into the main script.
mihelm
commented
1 year ago @homebysix We recently used the script with Kyle's modification in a setting with some 100 Monterey clients, and it worked like a charm. So thumbs up for the modification, and for Monterey compatibility.
A little context: You wrote above that you weren't sure this issue was within the scope of this script. I get where you're coming from — I couldn't quite believe it when I was first made aware of this.
When Jamf Connect is rolled out on Macs with existing accounts, those accounts don't have their account names changed. Instead, Jamf Connect adds an alias. In effect, those accounts then have two different names. Depending on which method you use to query the account name, you get one or the other. And depending on where you intend to use that account name, you may get the wrong one. That is exactly the issue here: Your original script asked which user is currently logged in. With Jamf Connect handling the logins, that gives you the alias. But since the FileVault encryption was enabled before that alias was added, that's not in the list of FileVault enabled users. You need the name that account has in the local database. This is what Kyle's modification does.
homebysix
commented
1 year ago I've applied this change in: https://github.com/homebysix/jss-filevault-reissue/pull/56
Can you add this to your script, I find sometimes when using Jamf Connect that the username doesn't get pulled due to an alias. this code fixes that.
Get the logged in user's name
FAKE_USER=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}') CURRENT_USER=$(id -un $FAKE_USER)