Worklet: Enable FileVault on MacOS and add recovery key to tag

  • 10 December 2020
  • 0 replies
  • 302 views
Gary

The following worklet will enable FileVault on Macs and save the recovery key into Automox. To avoid requesting credentials from the user it has been set to enable at the next login.

The recovery key will be written to a tag in Automox the next time the worklet runs following FileVault being enabled.


Evaluation:


#!/bin/bash

#

# Check if FileVault is enabled

if ($(fdesetup isactive)); then

  echo "FileVault is enabled!"

  exit 0

fi

exit 1

Remediation:


#!/bin/bash

#Created by Gary Langley

#02/12/2020

#

# Check if FileVault is enabled or current user is System

if ( $(fdesetup isactive) && [ ! -f "/Users/Shared/Automox/filevault.plist" ] ); then

  echo "FileVault is already enabled!"

  exit 0

fi

# Enable Filevault and get Recovery Key

fdesetup enable -defer /Users/Shared/Automox/filevault.plist -forceatlogin 3 -dontaskatlogout



# Use Python to parse JSON output from API and return values required for the PUT request

python2 -c '

import urllib2

import json

import socket

import plistlib



host = socket.gethostname()

headers = {

    "Content-Type": "application/json",

    "Authorization": "Bearer <insert your API key>"

    }

url = "https://console.automox.com/api/servers?policyId=<insert policyID>"

req = urllib2.Request(url, None, headers)

response = urllib2.urlopen(req)

html = response.read()

jres = json.loads(html)

for item in jres:

    if item["name"] == host:

        serverid = item["id"]

        servergroupid = item["server_group_id"]

        orgid = item["organization_id"]

        reldata = {

            "ServerID": serverid,

            "ServerGroupID": servergroupid,

            "OrgID": orgid

        }

        with open("/Users/Shared/Automox/com.automox.agent.device.plist", "wb+") as fp:

            plistlib.writePlist(reldata, fp)

'



if [ -f "/Users/Shared/Automox/filevault.plist" ]; then

# Write recovery key to device tag in Automoxs

serverid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerID)

servergroupid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerGroupID)

orgid=$(defaults read /Users/Shared/Automox/com.automox.agent.device OrgID)

recoverykey=$(defaults read /Users/Shared/Automox/filevault RecoveryKey)

posturl="https://console.automox.com/api/servers/$serverid?o=$orgid"

curl -X PUT $posturl \

        -H 'Authorization: Bearer <insert your API key>' \

        -H 'Content-Type: application/json' \

        -d '{

            "server_group_id": '$servergroupid',

            "tags": [

                "Recovery Key: '$recoverykey'"

            ],

        "exception": false

        }'

echo "Recovery Key: $recoverykey"

exit 0

fi

echo "FileVault will be enabled at next login"

0 replies

Be the first to reply!

Reply


Terms & ConditionsCookie settings