Symantec Management Platform (Notification Server)

PROBLEM:

I can manually run various commands in the MAC OS X terminal to configure the system for FileVault hard drive encryption. However, the issue is that I cannot script it out as a Run Script.

Example 1 - Enable FileVault with admin_user

echo "password" | sudo -S fdesetup enable -useradd admin_user -outputplist > /Users/admin_user/Desktop/FDESETUP_ENABLE.PLIST

Example 2 - Refresh / Change FileVault Recovery Key

echo "password" | sudo -S fdesetup changerecovery -personal > /Users/admin_user/Desktop/CHANGE_RECOVERY.PLIST

In both cases, I run into a brick wall of a problem on the local machine (before I've attempted pushing from the SMP). The problem is that the system requests the password of the user I specify to add to the system for the Example 1 command:

Enter the password for user 'admin_user':

While the Example 2 command asks a similar question of needing the password. As noted below:

Enter a pssword for "/", or the recovery key:

The added kicker is to make this work as a RUN SCRIPT from the SMP side pushed to this machine. My intent being to enable encrption for those system without it enable already. The second part to create a custom inventory to put the recovery key into, which could then be used to verify if the key is current/functional. Thus, refreshing the key, if it had changed.

FYI. Sending the output to a Plist file was just to confirm I am getting some sort of output from the commands to verify it actually worked.

Also the below link is similar via another tool, but I want to do this in via the SMP.

https://jamfnation.jamfsoftware.com/discussion.html?id=13018

If we can get around the FDESETUP password issue and get it to somehow run from an SMP script, then it should be easier to go from there.

Thoughts anyone?

Hi Phish,

Did you try to:

1. Use exact Mac client credentials to run this script task on client PC?

2. Also you can use "Save script output with task status" option to see information after script execution on client side, from SMP Console.

3. You're execution all scripts, using singe "Run Script" task? Or you also tried to create a "Client Job", where are added separate "Run Script" tasks for each script in appropriate execution sequence?

Thanks,

IP.

Didn't know about the script output option. Thanks for that Igor.

I took a step backward on the process and on a machine that has the drive already encrypted. On such a machine, the key can be changed / refreshed. So, if I can get a change recovery key script to work, then I should be able to get the other methods to work as well.

Below is th command a person with an encrypted drive can run to change / refresh the recovery key:

fdesetup changerecovery -personal

Running that command in SMP as a "Run Script" comes back with the following error:

The return code is specific to FDESETUP. The man page for it indicates "Authentication Error".

Hi Phish,

do you have any success with this case?

I have other ideas how to try to implement your case:

Seems like there is required a smart bash script in .sh file, which will automatically execute and pass all additional actions on client PC.

For example:

1. Create such bash script in file "bash.sh"

2. Open SMP Console -> Manage -> Software -> Software Release -> import this bash.sh file.

3. Edit imported bash.sh file in SMP Console and add command lines.

• Permissions add action: chmod u+x bash.sh
• Execute script file: ./bash.sh

4. Create 2 separate "Quick Delivery" tasks, where:

• 1st Quick Delivery task is to deliver bash.sh file to client PC and set chmod u+x
• 2nd Quick Delivery task is to execute this delivered bash.sh script file on client PC
• Both Quck Delivery tasks put in created "Client Job" with appropriate execution order.

Note: All client computers should have "Software Management Solution plug-in" installed, without this plug-in "Quick Delivery" tasks will not be executed and failed.

********************************

Other way is to create "Client Job" and include there separate "Run Script" tasks in appropriate order with appropriate "Conditions" set, then you don't need to have installed "Software Management Solution plug-in" installed on client PC to execute such "Client Job".

********************************

Thanks,
IP.

Igor,

What you suggest would only get me around the SUDO issue. SUDO just gets me admin level access to run the command, which is the first password I would get asked for.

Ignoring the elevated rights that FDESETUP needs to run. The script error in the logs is specific to FDESETUP, which is asking for the password of the user account running the command. More importantly, the system does not allow for the piping in of a password via normal scripting. Seems to want to force a level of human interaction to make enabling it hard or more importantly for any viruses to sneak in and decrypt the drive without you knowing. What I am looking to do could be used in a negative way, as to change the recovery key would not alert the end user of the change.

What I may need to create / use is an EXPECT script. The kicker is that I have never written one. If this was BATCH script or POWERSHELL. Then I might have a better chance, but Linux / Mac is another beast altogether with its scripting. Especially with EXPECT scripts.

If I had a primer of for this, then it would be far easier. Yet what I am finding online is few and far between. Added insult to injury is the Mac OS X 10.8.5+ saw the removal of a helper command called AUTOEXPECT, which is akin to AUTOIT in WIndows.

Hence my little problem being not so simple.