From 97b4e453bba097540ac98d7f983226ef2746367b Mon Sep 17 00:00:00 2001
From: Zack T <MLBZ521@gmail.com>
Date: Mon, 6 Aug 2018 23:02:13 -0700
Subject: [PATCH] v1.2 = Added several pre-req checks and better logging
 verbiage

 + Added code to escape XML reserved characters
 + Added check for modern FileVault functionality
 + Added check for required Escrow Configuration Profiles
 + Added additional logging verbiage for Site Admins
---
 Jamf Pro/Scripts/reissue_FileVaultPRK.sh | 70 +++++++++++++++++++-----
 1 file changed, 56 insertions(+), 14 deletions(-)

diff --git a/Jamf Pro/Scripts/reissue_FileVaultPRK.sh b/Jamf Pro/Scripts/reissue_FileVaultPRK.sh
index 4ab8307..e3eb885 100644
--- a/Jamf Pro/Scripts/reissue_FileVaultPRK.sh	
+++ b/Jamf Pro/Scripts/reissue_FileVaultPRK.sh	
@@ -3,27 +3,52 @@
 ###################################################################################################
 # Script Name:  reissue_FileVaultPRK.sh
 # By:  Zack Thompson / Created:  12/19/2017
-# Version:  1.1 / Updated:  12/21/2017 / By:  ZT
+# Version:  1.2 / Updated:  8/6/2017 / By:  ZT
 #
 # Description:  This script creates a new FileVault Personal Recovery Key by passing a valid Unlock Key via JSS Parameter to the Script.
-#		- A valid Unlock Key can be any of:  a user account password or current Personal Recovery Key
+#		- A valid Unlock Key can be any of:  a password for a FileVault enabled user account or current Personal Recovery Key
+#
+#	Modern FileVault Logic details can be found in the "FDE Recovery Key Escrow Payload" section documented here:  
+#		https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf
+#
+#	Some bits are inspired by Elliot Jordan's project:  https://github.com/homebysix/jss-filevault-reissue
 #
 ###################################################################################################
 
-/usr/bin/logger -s "*****  FileVault Key Reissue process:  START  *****"
+echo "*****  FileVault Key Reissue process:  START  *****"
 
 ##################################################
 # Define Variables
 
+exitValue=0
 cmdFileVault="/usr/bin/fdesetup"
+checkModernPRK="/var/db/FileVaultPRK.dat"
+# Substitute XML reserved characters
+fvPW=$(echo "${4}" | /usr/bin/sed 's/&/\&amp;/g; s/</\&lt;/g; s/>/\&gt;/g; s/"/\&quot;/g; s/'"'"'/\&#39;/g')
+# Get the OS Version
+osMinorVersion=$(/usr/bin/sw_vers -productVersion | /usr/bin/awk -F '.' '{print $2}')
 # Check if machine is FileVault enabled
-	fvStatus=$($cmdFileVault isactive)
+fvStatus=$($cmdFileVault isactive)
+# Set Profile Identifiers 
+legacyProfileID=""
+modernProfileID=""
 
 ##################################################
-# Now that we have our work setup...
+# Bits staged...
+
+if [[ $(/usr/bin/profiles -Cv | /usr/bin/grep --quiet --fixed-strings --regexp="${legacyProfileID}" --regexp="${modernProfileID}") -ne 0 ]]; then
+	echo "This device is missing the required FileVault Redirection Configuration Profile."
+	echo "*****  FileVault Key Reissue process:  FAILED  *****"
+	exit 1
+fi
 
 if [[ $fvStatus == "true" ]]; then
-	/usr/bin/logger -s "Machine is FileVault Encrypted."
+	echo "Machine is FileVault Encrypted."
+
+	if [[ "${osMinorVersion}" -ge 13 && -e "${checkModernPRK}" ]]; then
+		echo "Found pre-existing PRK data file; recording details..."
+		preCheckPRK=$(/usr/bin/stat -f "%Sm" -t "%s" "${checkModernPRK}")
+	fi
 
 	$cmdFileVault changerecovery -personal -inputplist &> /dev/null <<XML
 <?xml version="1.0" encoding="UTF-8"?>
@@ -31,23 +56,40 @@ if [[ $fvStatus == "true" ]]; then
 <plist version="1.0">
 <dict>
 <key>Password</key>
-<string>$4</string>
+<string>$fvPW</string>
 </dict>
 </plist>
 XML
 
 	exitCode=$?
 
-	if [[ $exitCode == 11 ]]; then
-		/usr/bin/logger -s "Failed to issue a new Recovery Key."
-		/usr/bin/logger -s "*****  FileVault Key Reissue process:  FAILED  *****"
-		exit 1
+	# Clear password variable.
+	unset fvPW
+
+	if [[ $exitCode != 0 ]]; then
+		echo "Failed to issue a new Recovery Key."
+		echo "\`fdesetup\` exit code was:  ${exitCode}"
+		echo "The list of exit codes and their meaning can be found here:  https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/fdesetup.8.html"
+		echo "*****  FileVault Key Reissue process:  FAILED  *****"
+		exit 2
 	fi
 
+	if [[ "${osMinorVersion}" -ge 13 && -e "${checkModernPRK}" ]]; then
+		postCheckPRK=$(/usr/bin/stat -f "%Sm" -t "%s" "${checkModernPRK}")
+
+		if [[ $postCheckPRK -gt $preCheckPRK ]]; then	
+			echo "PRK Data file has been updated, running a Jamf Recon to Escrow the new Key."
+			# This Inventory/Recon should Escrow the key and the next Recon should validate it.
+			/usr/local/bin/jamf recon 2&1>>/dev/null
+		else
+			echo "WARNING:  The PRK Data file does not appear to be been updated.  Reissue attempt may have failed."
+			exitValue=3
+		fi
+	fi
 else
-	/usr/bin/logger -s "Machine is not FileVault Encrypted."
+	echo "Machine is not FileVault Encrypted."
 fi
 
-/usr/bin/logger -s "*****  FileVault Key Reissue process:  COMPLETE  *****"
+echo "*****  FileVault Key Reissue process:  COMPLETE  *****"
 
-exit 0
+exit $exitValue
\ No newline at end of file