search

kc9wwh / FileVaultEnableAdminAccount

FileVault enable your organizational admin account...even on macOS 10.13!
MIT License
41 stars 10 forks source link

Enhancement Request - parameters for admin user and pass #2

Open jelockwood opened 6 years ago

jelockwood commented 6 years ago

First of all many thanks to the author Joshua Roskos @kc9wwh for this script.

This script was brought to my attention by JAMF support when I hit a problem trying to automate rotating FileVault recovery keys. As Joshua will be aware the problem is that the jamfmanagement account initially has no secure token and hence when it tries to rotate and re-escrow the FileVault key it goes wrong.

With this script and some smart groups to ensure things run at the right stages I can now -

  1. Have a policy to enforce FileVault encryption and escrow the original recovery key - since this is done using the user account it has a secure token
  2. With this script the jamfmanagement is given a secure token which it as mentioned initially does not have
  3. A third policy then uses the jamfmanagement account to rotate the FileVault recovery key on a regular basis and since now the jamfmanagement account has a token this now works properly

Now getting back to my proposed enhancement. This script in its current form puts up a dialog asking the logged in user to provide their password and the presumption is that the current logged in user is an admin user and has a secure token.

In my case all my JAMF enrolled Macs also have a local admin account for which the password is randomised per Mac and stored as an extension attribute in the JSS. It should therefore be possible to pass as additional parameters to a modified version of this script the local admin username and password so that the

sysadminctl -secureTokenOn -password (interactive || -adminUser -adminPassword )

command can be run automatically and invisibly to the logged in user without needing to ask the user for their password.

Yes this involves sending the local admin password over the wire but I have a policy which is regularly changing this to a new random one for each Mac - just like I have one re-randomising the jamfmanagement password.

Could therefore the author consider adding the ability to this script to accept two additional parameters which if provided mean it can run automatically and invisibly as described, and if not provided it runs in the current manner.

jelockwood commented 6 years ago

FYI - here is the script I use to populate an extension attribute to list whether the jamfmanagement account has or does not have a secure token. I then use this as part of a smart group to determine which machines need to run this script.

#!/bin/sh
accountToken=`sysadminctl -secureTokenStatus jamfmanagement 2>&1 | awk '{print $7}'`
echo "<result>$accountToken</result>"
exit