Worklet: Enable FileVault on MacOS and add recovery key to tag

  • 10 December 2020
  • 1 reply

The following worklet will enable FileVault on Macs and save the recovery key into Automox. To avoid requesting credentials from the user it has been set to enable at the next login.

The recovery key will be written to a tag in Automox the next time the worklet runs following FileVault being enabled.


# Check if FileVault is enabled
if ($(fdesetup isactive)); then
echo "FileVault is enabled!"
exit 0
exit 1


#Created by Gary Langley
# Check if FileVault is enabled or current user is System
if ( $(fdesetup isactive) && [ ! -f "/Users/Shared/Automox/filevault.plist" ] ); then
echo "FileVault is already enabled!"
exit 0
# Enable Filevault and get Recovery Key
fdesetup enable -defer /Users/Shared/Automox/filevault.plist -forceatlogin 3 -dontaskatlogout

# Use Python to parse JSON output from API and return values required for the PUT request
python2 -c '
import urllib2
import json
import socket
import plistlib

host = socket.gethostname()
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer <insert your API key>"
url = "<insert policyID>"
req = urllib2.Request(url, None, headers)
response = urllib2.urlopen(req)
html =
jres = json.loads(html)
for item in jres:
if item["name"] == host:
serverid = item["id"]
servergroupid = item["server_group_id"]
orgid = item["organization_id"]
reldata = {
"ServerID": serverid,
"ServerGroupID": servergroupid,
"OrgID": orgid
with open("/Users/Shared/Automox/com.automox.agent.device.plist", "wb+") as fp:
plistlib.writePlist(reldata, fp)

if [ -f "/Users/Shared/Automox/filevault.plist" ]; then
# Write recovery key to device tag in Automoxs
serverid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerID)
servergroupid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerGroupID)
orgid=$(defaults read /Users/Shared/Automox/com.automox.agent.device OrgID)
recoverykey=$(defaults read /Users/Shared/Automox/filevault RecoveryKey)
curl -X PUT $posturl \
-H 'Authorization: Bearer <insert your API key>' \
-H 'Content-Type: application/json' \
-d '{
"server_group_id": '$servergroupid',
"tags": [
"Recovery Key: '$recoverykey'"
"exception": false
echo "Recovery Key: $recoverykey"
exit 0
echo "FileVault will be enabled at next login"

1 reply

Hope you’re still around, Gary.

The API call to set the tag would overwrite existing tags. I don’t have enough knowledge yet to code this in, but I’m hoping someone else is capable of adding the new Recovery Key tag into a string along with the existing ones.


I’m also curious how the worklet is supposed to run subsequent times. Wouldn’t the Evaluation code prevent that once the FileVault is enabled on the first run?