Archive
Slides from the FileVault 2 Session at MacIT 2014
For those who wanted a copy of my FileVault 2 talk at MacIT 2014, here are links to the slides in PDF and Keynote format.
PDF: http://tinyurl.com/macit14fv2PDF
Keynote slides: http://tinyurl.com/macit14fv2keynote
Removing all recovery keys from a FileVault 2-encrypted Mavericks Mac
One of the functions added to the fdesetup tool on 10.9 is removerecovery. This function removes the current recovery key(s) from a FileVault 2-encrypted Mac and can be used to remove with the personal and/or institutional recovery keys from a Mac.
One interesting aspect of this is that this function can be used to remove all recovery keys from a FileVault 2-encrypted Mac running Mavericks. Once the recovery keys have been removed from your Mac, only FileVault 2-enabled accounts will be able to unlock or decrypt it. For more details, see below the jump.
Disabling FileVault 2 with fdesetup on Mountain Lion and Mavericks
Recently, I was asked how to disable FileVault 2 without needing to go into System Preferences. The general idea was that an organization may want to provide their users without admin rights a way to turn off FileVault 2 on an as-needed basis.
Most of the work I’ve done has been focused around turning on FileVault 2 and managing it, rather than providing a way for users to turn it off. That said, fdesetup on both Mountain Lion and Mavericks provides a way to disable FileVault 2 with proper authorization.
To disable FileVault 2 on the Mac you’re logged into, run the following command with root privileges:
fdesetup disable
You’ll be prompted for either the password of an enabled user or a personal recovery key.
Note: If a personal recovery key was not set up on a particular Mac, you’ll only be prompted for the password of an enabled user.
Once the password or personal recovery key has been entered, the Mac will begin to decrypt.
For those who want to automate this procedure, you can do this using an expect script or other means. As an example, I’ve written an expect script which automates running the fdesetup disable process described above.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/expect | |
| log_user 0 | |
| set password s3kr1tp4ssw0rd_or_recovery_key | |
| spawn fdesetup disable | |
| expect ": " | |
| send "$password\n" | |
| expect EOF |
Setting Parameter Labels in Casper
I recently learned about how to use Parameter Labels as part of a JAMF training class. I had read about them in the Casper Administrator’s Guide but managed to fundamentally misunderstand what they did and how they work.
What I thought:
Adding a Parameter Label value to a script in Casper Admin meant that the associated variable value would be pre-set for the script when I added it to a policy.
I didn’t want this behavior, as I wanted to maintain flexibility when setting policies. Consequently, I didn’t set anything in the Parameter Label value for my scripts.
How they actually work:
Setting the Parameter Label value in Casper Admin means that you’re changing the label that shows up in the script parameters in a policy. For example, changing the Parameter Label value for Parameter 4 in Casper Admin to Username means that the parameter name for the script will change from Parameter 4 to Username when you add the script to a policy.
Here’s how to set Parameter Labels in Casper Admin:
1. Open Casper Admin
2. Select the script you want.
3. Click the Info button.
4. Click the Options tab.
5. Set the parameter you want to change to the desired name.
6. When you create a policy that uses that script, the parameter will have the name you set instead of the default parameter name.
FileVault 2 session at MacIT 2014
I’ll be speaking about FileVault 2 at MacIT 2014, which is being held from March 26th – 29th, 2014 in San Francisco. For those interested, my talk will be on Wednesday, March 26th.
For a description of what I’ll be talking about, please see the IT804: Managing Mavericks’ FileVault2 with fdesetup session page, which is linked on the MacIT Wednesday Full Agenda page.
Payload-Free Package Creator.app
I do a lot of work with payload-free packages and I’ve looked for a while for a tool that would let me easily create them from existing scripts. While I have a process for creating them as needed with pkgbuild, this approach still requires some setup work.
After thinking about it and taking a look at various approaches, I’ve developed Payload-Free Package Creator.app, an Automator application that will allow the selection of an existing script and create a payload-free package that runs the selected script. For more details, see below the jump.
Der Flounder 
Recent Comments