Tagged: Apple

Creating a installer for activating Apple FileVault

I recently had a need for creating a way to remotely enable Apple's FileVault 2 full disk encryption. This script can be packaged with a certificate file used for a FileVaultMaster.keychain.
After FileVault has been enabled, then the recovery key is captured into Absolute Manage with the resulting plist file that is generated by fdesetup.
#!/bin/sh

# created by Ben Snyder 05/12/2013

## This script is designed to use a institutional + individual recovery key to enable FileVault 2 on Mountain Lion system

#######################################################################################################################
## Steps this script will take:
## Looks to see if the drive is encrypted with FileVault already
## Prompt the user that the computer isn't encrypted, and ask for them to enter their password
## Create a plist file with the local admin and user's account information to use by the fdesetup command
## Run the fdesetup command to use the certificate included in the pkg installer and plist file that was generated
## Fdesetup will create a plist file with information about the encryption including the individual recovery key
## Run secure delete to remove the user creation plist file
## Prompt the user that the encryption has completed, and what to do when the machine is rebooted
## Installer is set to reboot the machine inside of Absolute Manage
#######################################################################################################################

# Setup variable for current FileVault status
filevaultStatus=$(sudo fdesetup status | head -1)

# Local username and password information that should be used for variables
localAdminUser="testusername"
localAdminPassword="testpassword"
# If not encrypted proceed, otherwise quit
if [ "$filevaultStatus" == "FileVault is Off." ]; then

# Run an applescript to collect the users password to use in the activation plist
userPassword=`/usr/bin/osascript << EOT
tell application "SystemUIServer"
 activate
 set userPassword to text returned of (display dialog "This computer does not currently have it's hard drive encrypted with Apple's FileVault. Please enter your password to begin the process." with icon caution default answer "")
end tell
EOT`

# Get the shortname of the user that is logged in
userName=`ls -la /dev/console | cut -d " " -f 4`

# If the logged in user is the local admin quit
if [ "$userName" == "$localAdminUser" ]; then
exit 0
else

# Create the plist file that will be used for the encryption
touch "/Library/Scripts/com.filevaultuser.plist"
/bin/cat > "/Library/Scripts/com.filevaultuser.plist" << EOL
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>${localAdminUser}</string>
<key>Password</key>
<string>${localAdminPassword}</string>
<key>AdditionalUsers</key>
<array>
 <dict>
 <key>Username</key>
 <string>${userName}</string>
 <key>Password</key>
 <string>${userPassword}</string>
 </dict>
</array>
</dict>
</plist>
EOL

# Activate FileVault
## sudo fdesetup enable -inputplist < /Library/Scripts/com.filevaultuser.plist -certificate $1/Contents/Resources/FileVault_Recovery.cer -outputplist > /usr/local/FileVault/recoverykeyinfo.plist

# Securely remove user config plist file
## srm /Library/Scripts/com.filevaultuser.plist

# Prompt the user that the process is complete and that the computer will be restarting
`/usr/bin/osascript << EOT
tell application "SystemUIServer"
 activate
 display dialog "The FileVault activation process has completed, and the computer will now restart." buttons {"OK"} with icon stop
end tell
EOT`

fi

else
echo "Machine already is encrypted"
fi

exit 0

Sophos SafeGuard: Custom Info Items for Absolute Manage

Whenever we implement new software, I try to include some tracking that can be used in Absolute Manage. Recently we’ve been working to get our Macs encrypted using Sophos SafeGuard full disk encryption. To make some reporting that is easy for our guys to use, I created two simple custom info items.
The first custom info item is for tracking the current encryption status of the Mac. This will list three different states of the drive including Not Installed, Encrypting, and Encrypted. This status will update in Absolute Manage every time inventory is taken of the machine, or you can force it by gathering inventory.

#!/bin/sh

#Check to see if SafeGuard is installed
if [ -f "/usr/bin/sgadmin" ]; then
/usr/bin/sgadmin --status | grep -A 3 "Volume info" | grep "| 0" | awk -F '|' '{print $5}'
else
echo "Not installed"
fi
exit 0

The second custom info item will show the last time the computer checked into the Enterprise console with it’s encryption status. We do our own tracking of the Macs using this field in Absolute Manage, but management does it’s tracking of both PCs and Macs in a separate central console.

#!/bin/sh

#Check to see if SafeGuard is installed
if [ -f "/usr/bin/sgadmin" ]; then
/usr/bin/sgadmin --status | grep "Last contact" | awk '{print $4, $5, $6, $7, $8}'
else
	echo "Not installed"
fi
exit 0