mirror of
https://github.com/MLBZ521/MacAdmin.git
synced 2026-03-20 16:00:25 +00:00
v1.2 = Added several pre-req checks and better logging verbiage
+ Added code to escape XML reserved characters + Added check for modern FileVault functionality + Added check for required Escrow Configuration Profiles + Added additional logging verbiage for Site Admins
This commit is contained in:
Zack T
@@ -3,27 +3,52 @@
|
||||
###################################################################################################
|
||||
# Script Name: reissue_FileVaultPRK.sh
|
||||
# By: Zack Thompson / Created: 12/19/2017
|
||||
# Version: 1.1 / Updated: 12/21/2017 / By: ZT
|
||||
# Version: 1.2 / Updated: 8/6/2017 / By: ZT
|
||||
#
|
||||
# Description: This script creates a new FileVault Personal Recovery Key by passing a valid Unlock Key via JSS Parameter to the Script.
|
||||
# - A valid Unlock Key can be any of: a user account password or current Personal Recovery Key
|
||||
# - A valid Unlock Key can be any of: a password for a FileVault enabled user account or current Personal Recovery Key
|
||||
#
|
||||
# Modern FileVault Logic details can be found in the "FDE Recovery Key Escrow Payload" section documented here:
|
||||
# https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf
|
||||
#
|
||||
# Some bits are inspired by Elliot Jordan's project: https://github.com/homebysix/jss-filevault-reissue
|
||||
#
|
||||
###################################################################################################
|
||||
|
||||
/usr/bin/logger -s "***** FileVault Key Reissue process: START *****"
|
||||
echo "***** FileVault Key Reissue process: START *****"
|
||||
|
||||
##################################################
|
||||
# Define Variables
|
||||
|
||||
exitValue=0
|
||||
cmdFileVault="/usr/bin/fdesetup"
|
||||
checkModernPRK="/var/db/FileVaultPRK.dat"
|
||||
# Substitute XML reserved characters
|
||||
fvPW=$(echo "${4}" | /usr/bin/sed 's/&/\&/g; s/</\</g; s/>/\>/g; s/"/\"/g; s/'"'"'/\'/g')
|
||||
# Get the OS Version
|
||||
osMinorVersion=$(/usr/bin/sw_vers -productVersion | /usr/bin/awk -F '.' '{print $2}')
|
||||
# Check if machine is FileVault enabled
|
||||
fvStatus=$($cmdFileVault isactive)
|
||||
fvStatus=$($cmdFileVault isactive)
|
||||
# Set Profile Identifiers
|
||||
legacyProfileID=""
|
||||
modernProfileID=""
|
||||
|
||||
##################################################
|
||||
# Now that we have our work setup...
|
||||
# Bits staged...
|
||||
|
||||
if [[ $(/usr/bin/profiles -Cv | /usr/bin/grep --quiet --fixed-strings --regexp="${legacyProfileID}" --regexp="${modernProfileID}") -ne 0 ]]; then
|
||||
echo "This device is missing the required FileVault Redirection Configuration Profile."
|
||||
echo "***** FileVault Key Reissue process: FAILED *****"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ $fvStatus == "true" ]]; then
|
||||
/usr/bin/logger -s "Machine is FileVault Encrypted."
|
||||
echo "Machine is FileVault Encrypted."
|
||||
|
||||
if [[ "${osMinorVersion}" -ge 13 && -e "${checkModernPRK}" ]]; then
|
||||
echo "Found pre-existing PRK data file; recording details..."
|
||||
preCheckPRK=$(/usr/bin/stat -f "%Sm" -t "%s" "${checkModernPRK}")
|
||||
fi
|
||||
|
||||
$cmdFileVault changerecovery -personal -inputplist &> /dev/null <<XML
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
@@ -31,23 +56,40 @@ if [[ $fvStatus == "true" ]]; then
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>Password</key>
|
||||
<string>$4</string>
|
||||
<string>$fvPW</string>
|
||||
</dict>
|
||||
</plist>
|
||||
XML
|
||||
|
||||
exitCode=$?
|
||||
|
||||
if [[ $exitCode == 11 ]]; then
|
||||
/usr/bin/logger -s "Failed to issue a new Recovery Key."
|
||||
/usr/bin/logger -s "***** FileVault Key Reissue process: FAILED *****"
|
||||
exit 1
|
||||
# Clear password variable.
|
||||
unset fvPW
|
||||
|
||||
if [[ $exitCode != 0 ]]; then
|
||||
echo "Failed to issue a new Recovery Key."
|
||||
echo "\`fdesetup\` exit code was: ${exitCode}"
|
||||
echo "The list of exit codes and their meaning can be found here: https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/fdesetup.8.html"
|
||||
echo "***** FileVault Key Reissue process: FAILED *****"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [[ "${osMinorVersion}" -ge 13 && -e "${checkModernPRK}" ]]; then
|
||||
postCheckPRK=$(/usr/bin/stat -f "%Sm" -t "%s" "${checkModernPRK}")
|
||||
|
||||
if [[ $postCheckPRK -gt $preCheckPRK ]]; then
|
||||
echo "PRK Data file has been updated, running a Jamf Recon to Escrow the new Key."
|
||||
# This Inventory/Recon should Escrow the key and the next Recon should validate it.
|
||||
/usr/local/bin/jamf recon 2&1>>/dev/null
|
||||
else
|
||||
echo "WARNING: The PRK Data file does not appear to be been updated. Reissue attempt may have failed."
|
||||
exitValue=3
|
||||
fi
|
||||
fi
|
||||
else
|
||||
/usr/bin/logger -s "Machine is not FileVault Encrypted."
|
||||
echo "Machine is not FileVault Encrypted."
|
||||
fi
|
||||
|
||||
/usr/bin/logger -s "***** FileVault Key Reissue process: COMPLETE *****"
|
||||
echo "***** FileVault Key Reissue process: COMPLETE *****"
|
||||
|
||||
exit 0
|
||||
exit $exitValue
|
||||
Reference in New Issue
Block a user