Disabling FileVault 2 with fdesetup on Mountain Lion and Mavericks

March 22, 2014 Leave a comment

Recently, I was asked how to disable FileVault 2 without needing to go into System Preferences. The general idea was that an organization may want to provide their users without admin rights a way to turn off FileVault 2 on an as-needed basis.

Most of the work I’ve done has been focused around turning on FileVault 2 and managing it, rather than providing a way for users to turn it off. That said, fdesetup on both Mountain Lion and Mavericks provides a way to disable FileVault 2 with proper authorization.

To disable FileVault 2 on the Mac you’re logged into, run the following command with root privileges:

fdesetup disable

You’ll be prompted for either the password of an enabled user or a personal recovery key.

Screen Shot 2014-03-22 at 5.39.08 PM  

Screen Shot 2014-03-22 at 5.47.15 PM

Note: If a personal recovery key was not set up on a particular Mac, you’ll only be prompted for the password of an enabled user.

Screen Shot 2014-03-22 at 6.14.48 PM

Once the password or personal recovery key has been entered, the Mac will begin to decrypt.

For those who want to automate this procedure, you can do this using an expect script or other means. As an example, I’ve written an expect script which automates running the fdesetup disable process described above.

Setting Parameter Labels in Casper

March 20, 2014 3 comments

I recently learned about how to use Parameter Labels as part of a JAMF training class. I had read about them in the Casper Administrator’s Guide but managed to fundamentally misunderstand what they did and how they work.

What I thought:

Adding a Parameter Label value to a script in Casper Admin meant that the associated variable value would be pre-set for the script when I added it to a policy.

I didn’t want this behavior, as I wanted to maintain flexibility when setting policies. Consequently, I didn’t set anything in the Parameter Label value for my scripts.

How they actually work:

Setting the Parameter Label value in Casper Admin means that you’re changing the label that shows up in the script parameters in a policy. For example, changing the Parameter Label value for Parameter 4 in Casper Admin to Username means that the parameter name for the script will change from Parameter 4 to Username when you add the script to a policy.

Screen Shot 2014-03-20 at 10.29.02 AM

Screen Shot 2014-03-20 at 10.28.01 AM

Here’s how to set Parameter Labels in Casper Admin:

1. Open Casper Admin

2. Select the script you want.

3. Click the Info button.

Screen Shot 2014-03-20 at 10.30.47 AM

4. Click the Options tab.

Screen Shot 2014-03-20 at 10.32.11 AM

5. Set the parameter you want to change to the desired name.

Screen Shot 2014-03-20 at 10.26.28 AM

6. When you create a policy that uses that script, the parameter will have the name you set instead of the default parameter name.

Screen Shot 2014-03-20 at 10.28.01 AM

Categories: Bash scripting, Casper

FileVault 2 session at MacIT 2014

March 15, 2014 Leave a comment

I’ll be speaking about FileVault 2 at MacIT 2014, which is being held from March 26th – 29th, 2014 in San Francisco. For those interested, my talk will be on Wednesday, March 26th.

For a description of what I’ll be talking about, please see the IT804: Managing Mavericks’ FileVault2 with fdesetup session page, which is linked on the MacIT Wednesday Full Agenda page.

Payload-Free Package Creator.app

March 8, 2014 3 comments

I do a lot of work with payload-free packages and I’ve looked for a while for a tool that would let me easily create them from existing scripts. While I have a process for creating them as needed with pkgbuild, this approach still requires some setup work.

Payload-Free Package Creator logo

After thinking about it and taking a look at various approaches, I’ve developed Payload-Free Package Creator.app, an Automator application that will allow the selection of an existing script and create a payload-free package that runs the selected script. For more details, see below the jump.

Read more…

Deploying Sophos Anti-Virus for Mac OS X 9.x

February 20, 2014 4 comments

For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed by switching to using an application to install it. For their customers using Sophos Enterprise Console, Sophos will still provide a installer metapackage, but all other customers now need to use the application to install Sophos Anti-Virus 9.x on Macs.

Screen Shot 2014-02-20 at 1.40.31 PM

Curiously, Sophos went to some lengths to make their install application look like a standard installer package.

Screen Shot 2014-02-20 at 1.44.33 PM

Screen Shot 2014-02-20 at 1.46.25 PM

This extended to the point of naming the actual application as Installer, which is the same name as Apple’s Installer.

Screen Shot 2014-02-20 at 1.45.41 PM

Screen Shot 2014-02-20 at 1.47.37 PM

This switch away from using installer packages was a problem for Mac admins who wanted to deploy Sophos 9.x, but did not have Sophos’ enterprise console. After doing some research and reading a very helpful thread on JAMF Nation, it looks like it is possible to repackage Sophos 9.x for deployment. For more details, see below the jump.

Read more…

Managing the Authorization Database in OS X Mavericks

February 16, 2014 2 comments

Prior to OS X Mavericks, the /etc/authorization XML file controlled the rights for many different actions, such as adding a printer, setting up Time Machine or setting DVD region codes. Modifying this file required root access and could be performed with a text editor. The /etc/authorization file could also be modified by using the security command line tool included with OS X, but most chose not to do so because directly editing the file was easier.

With the release of OS X Mavericks, /etc/authorization has been removed in favor of a new authorization database, which is a SQLite database located at /var/db/auth.db. There is also an authorization.plist file located in /System/Library/Security, which is used by the OS as a template for a new /var/db/auth.db database file, in the event that the OS detects on boot that /var/db/auth.db does not exist.

To see what’s in the database, you can export the database to a text file using the following command:

sudo sqlite3 auth.db .dump > /path/to/filename.txt

It’s also possible to open the exported data directly inside text editors that support this option. For example, the following command can be used to export the database and automatically open the exported data in a new TextWrangler document:

sudo sqlite3 auth.db .dump | edit

Read more…

Power Nap, power management settings and FileVault 2

February 12, 2014 3 comments

I recently purchased a new MacBook Pro Retina for my own use and encrypted it with FileVault 2. As part of setting it up, I ran the following command to ensure that the laptop hibernated (where the contents of the RAM are written to disk) and also have the FileVault 2 key automatically removed from the saved RAM state when I put the laptop to sleep:

sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

I then put my laptop to sleep and shortly thereafter went to sleep myself.

The next morning, I went to wake up my laptop. I expected to see my account icon and a password blank at the FileVault 2 login screen, which would indicate that it had been asleep.

Screen Shot 2014-02-12 at 12.51.27 PM

Instead, I saw the icons for all of the FileVault 2-enabled accounts on my laptop.

Screen Shot 2014-02-12 at 12.51.17 PM

That indicated that my laptop had turned off instead of being asleep. For more details, see below the jump.

Read more…

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: