Adding Filevault 2 Unlock Users

I recently had a request for automating the process of adding unlock users for FileVault 2. We have some areas that have shared use / checkout portable computers and they frequently have to add unlock users for these systems. Unfortunately the CLI tools require to be fed a FV2 unlock user, which in our Casper environment we do not enable the management account for FV2 unlock as it would be presented at the EFI pre-boot interface. Additionally mobile users are not automatically enabled as FV2 unlock users like local users. So it makes adding mobile unlock users a largely manual process in our environment. The persons that deal with the day to day administration of these units has administrative credentials on the systems, this process makes the assumption the person(s) adding unlock users will have administrative credentials.

Since our environment doesn’t let us easily automate this process I at least wanted to lower the surface pain for those individuals needing to add unlock users. We have been making an effort to point users to Self Service for as many functions as possible. I jiggered up a Self Service tool that at least saves them a couple clicks and is in line with our “check Self Service first” message.

First here is the script that opens the Filevault 2 Preference Pane. It’s not very robust but it does what it needs to. It is an applescript embedded in a bash script for easy execution by the JAMF tools.


#!/bin/bash

/usr/bin/osascript <<-EOF
tell application "System Preferences"
set the current pane to pane id "com.apple.preference.Security"
get the name of every anchor of pane id "com.apple.preference.Security"
reveal anchor "FDE" of pane id "com.apple.preference.Security"
end tell

display dialog "Click the lock, authenticate with admin credentials, then click the Enable Users... button."

tell application "System Preferences"
activate
end tell
EOF

exit 0

I created a policy for self service and attached the script.

addadditionalfilevaultunlockusers

addadditionalfilevaultunlockusers2

Now a user needing to add additional unlock users can go into self service, the location they have become accustomed to finding tools and software provided by IT to add additional unlock users.

addadditionalfilevaultunlockusersbutton

addadditionalfilevaultunlockusersbutton2

After clicking the button they are presented with simple instructions on how to complete their task

statustextfilevault2

And off to the FileVault 2 preference pane they go.

Enable users

This process is specific to our needs, and our desire to keep a consistent Self Service message. If anyone else out there has been trying to tackle the “how do we add more unlock users” conundrum, hopefully this can be of some assistance.

Advertisements
Adding Filevault 2 Unlock Users