-
Notifications
You must be signed in to change notification settings - Fork 6
07 FileVault Authenticated Restarts
With the command fdesetup authrestart
you can perform a restart that allows the user to reboot the computer and it will not need to unlock the disk at reboot. This can reduce the time it takes a user to get back to work and enhances the overall user experience.
On supported hardware, fdesetup allows restart of a FileVault-enabled system without requiring unlock during the subsequent boot using the authrestart command. WARNING: FileVault protections are reduced during authenticated restarts. In particular, fdesetup deliberately stores at least one additional copy of a permanent FDE (full disk encryption) unlock key in both system memory and (on supported systems) the System Management Controller (SMC).
If FileVault is enabled on the current volume, it restarts system, bypassing the initial unlock.
In the script 00-uexrestartagent-jss
there is a new parameter you can hard code before uploaded the script.
As of v5.0 this setting has been moved to the Jamf Interaction Configuration
in 00-UEX-Jamf-Interaction-no-grep.sh
enable_filevault_reboot
Simply set this value to true
and it will do the rest!
- The script will check if the logged in user is authorized to unlock the disk and if the disk supports auth restart.
- If both are true then it it will offer the user to perform an authenticate restart.
- They have 5 mins to respond otherwise it defaults back to the normal restart method.
In order for the changes to complete you must restart your computer. Please save your work.
Would you to like enter your password to have the computer unlock the disk automatically? Note: Automatic unlock does not always occur.'
-
From there the user can click yes and will be asked to enter their password with osascript display dialog.
-
The Password is not stored anywhere, it's only used in the script as a variable
-
The it spawns the command
fdesetup authrestart
and inserts the value of username and password. -
If the script is continuing then the command failed so gives a fail message.
There was error with the authorized restart. Your password may be incorrect, out of sync, or blank.
Click "Try Again" or "Cancel".
- If they click Try Again then it will loop back for the password again.
- If they click Cancel then it performs a normal restart.
🌈 Documentation is not my forté. If you would like to contribute please write me on MacAdmins slack @cubandave