Skip to main content

The following worklet will enable FileVault on Macs and save the recovery key into Automox. To avoid requesting credentials from the user it has been set to enable at the next login.


The recovery key will be written to a tag in Automox the next time the worklet runs following FileVault being enabled.



Evaluation:



#!/bin/bash


#


# Check if FileVault is enabled


if ($(fdesetup isactive)); then


  echo "FileVault is enabled!"


  exit 0


fi


exit 1


Remediation:



#!/bin/bash


#Created by Gary Langley


#02/12/2020


#


# Check if FileVault is enabled or current user is System


if ( $(fdesetup isactive) && [ ! -f "/Users/Shared/Automox/filevault.plist" ] ); then


  echo "FileVault is already enabled!"


  exit 0


fi


# Enable Filevault and get Recovery Key


fdesetup enable -defer /Users/Shared/Automox/filevault.plist -forceatlogin 3 -dontaskatlogout





# Use Python to parse JSON output from API and return values required for the PUT request


python2 -c '


import urllib2


import json


import socket


import plistlib





host = socket.gethostname()


headers = {


    "Content-Type": "application/json",


    "Authorization": "Bearer <insert your API key>"


    }


url = "https://console.automox.com/api/servers?policyId=<insert policyID>"


req = urllib2.Request(url, None, headers)


response = urllib2.urlopen(req)


html = response.read()


jres = json.loads(html)


for item in jres:


    if item["name"] == host:


        serverid = item["id"]


        servergroupid = item["server_group_id"]


        orgid = item["organization_id"]


        reldata = {


            "ServerID": serverid,


            "ServerGroupID": servergroupid,


            "OrgID": orgid


        }


        with open("/Users/Shared/Automox/com.automox.agent.device.plist", "wb+") as fp:


            plistlib.writePlist(reldata, fp)


'





if [ -f "/Users/Shared/Automox/filevault.plist" ]; then


# Write recovery key to device tag in Automoxs


serverid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerID)


servergroupid=$(defaults read /Users/Shared/Automox/com.automox.agent.device ServerGroupID)


orgid=$(defaults read /Users/Shared/Automox/com.automox.agent.device OrgID)


recoverykey=$(defaults read /Users/Shared/Automox/filevault RecoveryKey)


posturl="https://console.automox.com/api/servers/$serverid?o=$orgid"


curl -X PUT $posturl \


        -H 'Authorization: Bearer <insert your API key>' \


        -H 'Content-Type: application/json' \


        -d '{


            "server_group_id": '$servergroupid',


            "tags": [


                "Recovery Key: '$recoverykey'"


            ],


        "exception": false


        }'


echo "Recovery Key: $recoverykey"


exit 0


fi


echo "FileVault will be enabled at next login"

Hope you’re still around, Gary.

The API call to set the tag would overwrite existing tags. I don’t have enough knowledge yet to code this in, but I’m hoping someone else is capable of adding the new Recovery Key tag into a string along with the existing ones.

 

I’m also curious how the worklet is supposed to run subsequent times. Wouldn’t the Evaluation code prevent that once the FileVault is enabled on the first run?

Cheers!

Reply


Terms & ConditionsCookie settings