Contents x
    FileVault: Seamless Toggle On/Off and Key Rotation
    • 26 Dec 2023
    • 4 Minutes to read
    • Print
    • PDF
    Contents

    FileVault: Seamless Toggle On/Off and Key Rotation

    • Updated on 26 Dec 2023
    • 4 Minutes to read
    • Print
    • PDF
    Article Summary

    Toggle On/Off the FileVault

    The following Shell script helps IT Admins to toggle on/off the FileVault on the managed Mac devices.

    1. Create a file on your desktop, for example, ToggleFileVault.sh and open it in a text editor like notepad++

    2. Copy the contents below to the file or click here to download the file.

      1. If SHOULD_ENABLE="yes" [Activates FV and starts encryption]

      2. If SHOULD_ENABLE="no" [deactivates FV and starts decryption]

      #!/usr/bin/env bash

# If should enable FileVault then set "yes" else "no"
SHOULD_ENABLE="yes"

# ====== DO NOT EDIT BELOW CODE ======

brandIcon="/Applications/Scalefusion-MDM Client.app/Contents/Resources/AppIcon.icns"
title="Scalefusion: Disable FileVault"
if [[ "$SHOULD_ENABLE" = "yes" ]]; then
title="Scalefusion: Enable FileVault"
fi

## Get the logged in user's name
userName=$(/usr/bin/stat -f%Su /dev/console)

## Grab the UUID of the User
userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}')

## Get the OS build
BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'`

if [ "${userCheck}" != "${userName}" ]; then
echo "This user is not a FileVault 2 enabled user."
exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
echo "${encryptCheck}"
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
onStatus="FileVault is On."
if [ "${statusCheck}" == "${onStatus}" ]; then

    if [[ "$SHOULD_ENABLE" == "yes" ]]; then
    echo "FileVault is already enabled"
    exit 0
    fi

else

    if [[ "$SHOULD_ENABLE" != "yes" ]]; then
    echo "FileVault is already disabled"
    exit 0
    fi

fi

passwordPrompt () {
## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
text="Admin has requested to disable FileVault"
if [[ "$SHOULD_ENABLE" = "yes" ]]; then
text="Admin has request to enable FileVault"
fi

userPass=$(/usr/bin/osascript <<EOF
on run
    set userInput to text returned of (display dialog "$text" & return & "Enter login password for '$userName'" default answer "" with title "$title" buttons {"Cancel", "Ok"} default button 2 with icon POSIX file "$brandIcon" with hidden answer)
    return userInput
end run
EOF
)

# Check if the user canceled the dialog
if [ "$?" == "1" ]; then
    echo "User Canceled"
    exit 0
fi

# Use the retrieved password
if [[ ! -z "$userPass" ]]; then
echo "User Password is not empty"
else 
echo "User password is empty"
exit 4;
fi

if [[ "$SHOULD_ENABLE" = "yes" ]]; then
echo "Attempting to enable FV with the entered credentials"
sudo fdesetup enable -user "$userName" -password "$userPass"
else
echo "Attempting to disable FV with the entered credentials"
sudo fdesetup disable -user "$userName" -password "$userPass"
fi
}

passwordPrompt

exit

    3. Once the script is successfully executed you will be able to see the

    Rotate Filevault PRK

    The following script will check if the Filevault is ON/OFF.

    1. If it is ON, the script will re-generate a new PRK, and the same will get synced to Scalefusion dashboard.

    2. If it is OFF, the script will turn On the Filevault and start encryption. The key will be generated and will also show in the output response in View Status report on the dashboard. It will also be available in the Full Device Information card at the next sync interval.

    3. Create a file on your desktop, for example, rotateFV.sh and open it in a text editor like notepad++

    4. Copy the contents below to the file or click here to download the file.

    #!/usr/bin/env bash

# Resync the PRK key with MDM. If FV is not already ON then it'll be turned-on 
FORCE_SYNC_PRK_KEY="yes"

# ====== DO NOT EDIT BELOW CODE ======

brandIcon="/Applications/Scalefusion-MDM Client.app/Contents/Resources/AppIcon.icns"
title="Scalefusion: FileVault"

if [[ "$FORCE_SYNC_PRK_KEY" = "yes" ]]; then
  title="Scalefusion: Enable FileVault & Sync PRK"
fi

## Get the logged in user's name
userName=$(/usr/bin/stat -f%Su /dev/console)

## Grab the UUID of the User
userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}')

## Get the OS build
BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}`

## This first user check sees if the logged in account is already authorized with FileVault 2
userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'`

if [ "${userCheck}" != "${userName}" ]; then
  echo "This user is not a FileVault 2 enabled user."
  exit 3
fi

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
onStatus="FileVault is On."
if [ "${statusCheck}" == "${onStatus}" ]; then
  echo "FileVault is already enabled"
else
  echo "FileVault is disabled"
fi

passwordPrompt () {
  ## Get the logged in user's password via a prompt
  echo "Prompting ${userName} for their login password."
  text="Admin has requested to disable FileVault"
  if [[ "$FORCE_SYNC_PRK_KEY" = "yes" ]]; then
    text="Admin has request to enable FileVault"
  fi

  userPass=$(/usr/bin/osascript <<EOF
  on run
  set userInput to text returned of (display dialog "$text" & return & "Enter login password for '$userName'" default answer "" with title "$title" buttons {"Cancel", "Ok"} default button 2 with icon POSIX file "$brandIcon" with hidden answer)
  return userInput
  end run
EOF
)

  # Check if the user canceled the dialog
  if [ "$?" == "1" ]; then
    echo "User Canceled"
    exit 0
  fi

  # Use the retrieved password
  if [[ ! -z "$userPass" ]]; then
    echo "User Password is present"
  else 
    echo "User password is empty"
    exit 4;
  fi

  if [[ "$FORCE_SYNC_PRK_KEY" = "yes" ]]; then
    echo "Attempting to enable FV with the entered credentials"
    sudo fdesetup enable -user "$userName" -password "$userPass"
    sudo fdesetup changerecovery -personal -user "$userName" -password "$userPass"
  fi
}

passwordPrompt

exit

    Follow our guide to upload & publish the Shell script using Scalefusion Dashboard.

    Please note that to use the Shell scripts, the Scalefusion MDM Client Application must be installed on the device(s). Please follow our guide to publish and install the Scalefusion MDM Agent Application.

    Notes:

    1. The scripts and their contents are sourced from various albeit authenticated Apple Developer communities and forums.

    2. Please validate the scripts on a test machine before deploying them on all your managed devices.

    3. Scalefusion has tested these scripts, however, Scalefusion will not be responsible for any loss of data or system malfunction that may arise due to the incorrect usage of these scripts.

    Was this article helpful?
    What's Next
    Ambitious companies around the world trust Scalefusion to secure and manage endpoints including smartphones, tablets, laptops, rugged devices, POS, and digital signages. Our mission is to make Device Management simple and effortless along with providing world class customer support.
    By Business Initiative
    Top Features
    Existing Users
    Connect With Us
    Sales and Support
    Copyright © 2023 Scalefusion. All rights reserved.