Skip to main content

The following worklet will enable FileVault on Macs and save the recovery key into Automox. To avoid requesting credentials from the user it has been set to enable at the next login.


The recovery key will be written to a tag in Automox the next time the worklet runs following FileVault being enabled.



Evaluation:



#!/bin/bash

#

# Check if FileVault is enabled

if ($(fdesetup isactive)); then

echo "FileVault is enabled!"

exit 0

fi

exit 1



Remediation:



#!/bin/bash

#Created by Gary Langley

#02/12/2020

#

# Check if FileVault is enabled or current user is System

if ( $(fdesetup isactive) && [ ! -f "/Users/Shared/Automox/filevault.plist" ] ); then

echo "FileVault is already enabled!"

exit 0

fi

# Enable Filevault and get Recovery Key

fdesetup enable -defer /Users/Shared/Automox/filevault.plist -forceatlogin 3 -dontaskatlogout



# Use Python to parse JSON output from API and return values required for the PUT request

python2 -c '

import urllib2

import json

import socket

import plistlib



host = socket.gethostname()

headers = {

"Content-Type": "application/json",

"Authorization": "Bearer <insert your API key>"

}

url = "https://console.automox.com/api/servers?policyId=<insert policyID>"

req = urllib2.Request(url, None, headers)

response = urllib2.urlopen(req)

html = response.read()

jres = json.loads(html)

for item in jres:

if item["name"] == host:

serverid = item["id"]

servergroupid = item["server_group_id"]

orgid = item["organization_id"]

reldata = {

"ServerID": serverid,

"ServerGroupID": servergroupid,

"OrgID": orgid

}

with open("/Users/Shared/Automox/com.automox.agent.device.plist", "wb+") as fp:

plistlib.writePlist(reldata, fp)

'



if [ -f "/Users/Shared/Automox/filevault.plist" ]; then

# Write recovery key to device tag in Automoxs

serverid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerID)

servergroupid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerGroupID)

orgid=$(defaults read /Users/Shared/Automox/com.automox.agent.device OrgID)

recoverykey=$(defaults read /Users/Shared/Automox/filevault RecoveryKey)

posturl="https://console.automox.com/api/servers/$serverid?o=$orgid"

curl -X PUT $posturl \

-H 'Authorization: Bearer <insert your API key>' \

-H 'Content-Type: application/json' \

-d '{

"server_group_id": '$servergroupid',

"tags": [

"Recovery Key: '$recoverykey'"

],

"exception": false

}'

echo "Recovery Key: $recoverykey"

exit 0

fi

echo "FileVault will be enabled at next login"

Hope you’re still around, Gary.

The API call to set the tag would overwrite existing tags. I don’t have enough knowledge yet to code this in, but I’m hoping someone else is capable of adding the new Recovery Key tag into a string along with the existing ones.

 

I’m also curious how the worklet is supposed to run subsequent times. Wouldn’t the Evaluation code prevent that once the FileVault is enabled on the first run?

Cheers!


Reply