Detecting if a logged-in user on a FileVault-encrypted Mac has a Secure Token associated with their account

A challenge many Mac admins have been dealing with is the introduction of the Secure Token attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume.

In my own shop, we wanted to be able to identify if the primary user of a Mac had a Secure Token associated with their account. The reason we did this was:

1. We could alert the affected help desk staff.
2. We could work with our users to rebuild their Macs on an agreed-upon schedule where their data was preserved.
3. We could hopefully avoid working with our users on an emergency basis where their data could be lost.

To help with this, we developed a detection script. For more details, please see below the jump.

This script checks for the following:

1. If the Mac is running 10.13.x or later.
2. If the boot drive is using Apple File System (APFS) for its filesystem.
3. If FileVault is enabled or not.

If the Mac passes the following checks:

• Running 10.13.0 or later
• The boot drive is using APFS
• FileVault is enabled

Then the following action takes place:

1. The logged-in user is checked to see if it can be determined.
2. If it can be determined and it is not the root user, the sysadminctl tool is used to check to see if the account has the Secure Token attribute associated with it.

If the logged-in user account should have a Secure Token attribute associated with it and does not, the script will report the following:

1

Any other outcome, the script will report the following:

0

The script is available below, and at the following address on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/detect_missing_secure_token

A complementary Jamf Pro Extension Attribute is available at the following address on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/detect_missing_secure_token

	#!/bin/bash
	# Script which reports if the current logged-in user has a
	# Secure Token attribute associated with their account.
	osvers_minor=$(/usr/bin/sw_vers -productVersion | /usr/bin/awk -F. '{print $2}')
	result=0
	MissingSecureTokenCheck() {
	# Get the currently logged-in user and go ahead if not root.
	current_user=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
	# This function checks if the logged-in user has Secure Token attribute associated
	# with their account. If the token_status variable returns "0", then the following
	# status is returned from the script:
	#
	# 1
	#
	# If anything else is returned, the following status is
	# returned from the script:
	#
	# 0
	if [[ -n "$current_user" && "$current_user" != "root" ]]; then
	# Get the Secure Token status.
	token_status=$(/usr/sbin/sysadminctl -adminUser "" -adminPassword "" -secureTokenStatus "$current_user" 2>&1 | /usr/bin/grep -ic enabled)
	# If there is no secure token associated with the logged-in account,
	# the token_status variable should return "0".
	if [[ "$token_status" -eq 0 ]]; then
	result=1
	fi
	fi
	# If unable to determine the logged-in user
	# or if the logged-in user is root, then the following
	# status is returned from the script:
	#
	# 0
	}
	# Check to see if the OS version of the Mac supports running APFS boot volumes.
	if [[ ${osvers_minor} -ge 13 ]]; then
	# If the OS check passes, check to see if the boot volume has an APFS filesystem
	# with FileVault turned on.
	if [[ $(/usr/sbin/diskutil info / | /usr/bin/awk '/Type \(Bundle\)/ {print $3}') = "apfs" && $(/usr/bin/fdesetup status | /usr/bin/grep -io "is on") ]]; then
	# If the boot volume is using APFS for its filesystem and FileVault is on,
	# run the MissingSecureTokenCheck function.
	MissingSecureTokenCheck
	fi
	# If the OS, filesystem or encryption check did not pass, the script sets the following string for the "result" value:
	#
	# 0
	fi
	echo "$result"
	exit 0

view raw

detect_missing_secure_token.sh

hosted with ❤ by GitHub