From 14159a826b70e386922293ab7e64e3f5f0d8de17 Mon Sep 17 00:00:00 2001 From: Aron Smith-Donovan <42976961+aronsmithdonovan@users.noreply.github.com> Date: Thu, 29 Sep 2022 10:47:33 -0500 Subject: [PATCH] Update reissueKey.sh - clarified existing comments - added additional comments - formatting fixes - replaced orgName variable with new windowTitle variable --- reissueKey.sh | 363 +++++++++++++++++++++++++++----------------------- 1 file changed, 200 insertions(+), 163 deletions(-) diff --git a/reissueKey.sh b/reissueKey.sh index 4cb5b79..74fe356 100644 --- a/reissueKey.sh +++ b/reissueKey.sh @@ -28,7 +28,7 @@ # #################################################################################################### # -# Description +# DESCRIPTION # # The purpose of this script is to allow a new individual recovery key to be issued # if the current key is invalid and the management account is not enabled for FV2, @@ -44,190 +44,227 @@ # # HISTORY # -# -Created by Sam Fortuna on Sept. 5, 2014 -# -Updated by Sam Fortuna on Nov. 18, 2014 -# -Added support for 10.10 -# -Updated by Sam Fortuna on June 23, 2015 -# -Properly escapes special characters in user passwords -# -Updated by Bram Cohen on May 27, 2016 -# -Pipe FV key and password to /dev/null -# -Updated by Jordan Wisniewski on Dec 5, 2016 -# -Removed quotes for 'send {${userPass}} ' so -# passwords with spaces work. -# -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017 -# - Fixed an issue with usernames that contain -# sub-string matches of each other. -# -Updated by Bram Cohen on Jan 3, 2018 -# - 10.13 adds a new prompt for username before password in changerecovery -# -Updated by Matt Boyle on July 6, 2018 -# - Error handeling, custom Window Lables, Messages and FV2 Icon -# -Updated by David Raabe on July 26, 2018 -# - Added Custom Branding to pop up windows -# -Updated by Sebastien Del Saz Alvarez on January 22, 2021 -# -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur +# - Created by Sam Fortuna on Sept. 5, 2014 +# - Updated by Sam Fortuna on Nov. 18, 2014 +# - Added support for 10.10 +# - Updated by Sam Fortuna on June 23, 2015 +# - Properly escapes special characters in user passwords +# - Updated by Bram Cohen on May 27, 2016 +# - Pipe FV key and password to /dev/null +# - Updated by Jordan Wisniewski on Dec 5, 2016 +# - Removed quotes for 'send {${userPass}} ' so passwords with spaces work. +# - Updated by Shane Brown/Kylie Bareis on Aug 29, 2017 +# - Fixed an issue with usernames that contain sub-string matches of each other. +# - Updated by Bram Cohen on Jan 3, 2018 +# - 10.13 adds a new prompt for username before password in changerecovery +# - Updated by Matt Boyle on July 6, 2018 +# - Error handling, custom Window labels, Messages and FV2 Icon +# - Updated by David Raabe on July 26, 2018 +# - Added Custom Branding to pop up windows +# - Updated by Sebastien Del Saz Alvarez on January 22, 2021 +# - Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur +# - Updated by Aron Smith-Donovan on September 28th, 2022 +# - Added comments + formatting fixes +# - Replaced orgName variable with new windowTitle variable +#################################################################################################### +# +# PARAMETERS +# - parameter descriptions indicated when adding script to Jamf +# - parameter values indicated when deploying script via policy +# - parameters 1, 2, and 3 are reserved for mount point, computer name, and username (respectively) +# +# Parameter 4 = Custom organization name (displays in pop-up window) +# default: blank +# Parameter 5 = # of failed attempts until stop +# default: 2 +# Parameter 6 = Custom text for organizational contact information +# default: "Please contact IT for further assistance." +# Parameter 7 = Custom brand icon +# default: Self Service icon +# if not available, then Jamf icon +# if not available, then FileVault icon #################################################################################################### -# -# Parameter 4 = Set organization name in pop up window -# Parameter 5 = Failed Attempts until Stop -# Parameter 6 = Custom text for contact information. -# Parameter 7 = Custom Branding - Defaults to Self Service Icon -#Customizing Window +# SET GRAPHICS PATHS selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns" fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" -if [ ! -z "$4" ] -then -orgName="$4 -" -fi -if [ ! -z "$6" ] -then -haltMsg="$6" -else -haltMsg="Please Contact IT for Further assistance." -fi +# VALIDATE PARAMETER INPUT & INITIALIZE VARIABLES +## parameter 4 (organization name) + if [ ! -z "$4" ]; then + windowTitle="$4 - FileVault Key Reset" + else + windowTitle="FileVault Key Reset" + fi -if [[ ! -z "$7" ]]; then -brandIcon="$7" -elif [[ -f $selfServiceBrandIcon ]]; then - brandIcon=$selfServiceBrandIcon -elif [[ -f $jamfBrandIcon ]]; then - brandIcon=$jamfBrandIcon -else -brandIcon=$fileVaultIcon -fi +## parameter 5 (failed attempts before stop) + try=0 + if [ ! -z "$5" ]; then + maxTry=$5 + else + maxTry=2 + fi +## parameter 6 (contact information) + if [ ! -z "$6" ]; then + haltMsg="$6" + else + haltMsg="Please contact IT for further assistance." + fi -## Get the logged in user's name -userName=$(/usr/bin/stat -f%Su /dev/console) +## parameter 7 (brand icon) + if [[ ! -z "$7" ]]; then + brandIcon="$7" + elif [[ -f $selfServiceBrandIcon ]]; then + brandIcon=$selfServiceBrandIcon + elif [[ -f $jamfBrandIcon ]]; then + brandIcon=$jamfBrandIcon + else + brandIcon=$fileVaultIcon + fi -## Grab the UUID of the User -userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}') -## Get the OS build -BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}` +# RECONAISSANCE +## get the current user's username + userName=$(/usr/bin/stat -f%Su /dev/console) -## This first user check sees if the logged in account is already authorized with FileVault 2 -userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'` -if [ "${userCheck}" != "${userName}" ]; then -echo "This user is not a FileVault 2 enabled user." -exit 3 -fi +## get the UUID of the current user + userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}') -## Counter for Attempts -try=0 -if [ ! -z "$5" ] -then -maxTry=$5 -else -maxTry=2 -fi +## get the OS build + BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}` -## Check to see if the encryption process is complete -encryptCheck=`fdesetup status` -statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") -expectedStatus="FileVault is On." -if [ "${statusCheck}" != "${expectedStatus}" ]; then -echo "The encryption process has not completed." -echo "${encryptCheck}" -exit 4 -fi -passwordPrompt () { -## Get the logged in user's password via a prompt -echo "Prompting ${userName} for their login password." -userPass=$(/usr/bin/osascript -e " -on run -display dialog \"To generate a new FileVault key\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"$orgName FileVault Key Reset\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer -set userPass to text returned of the result -return userPass -end run") -if [ "$?" == "1" ] -then -echo "User Canceled" -exit 0 -fi -try=$((try+1)) -if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then -## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output -result=$(expect -c " -log_user 0 -spawn fdesetup changerecovery -personal -expect \"Enter a password for '/', or the recovery key:\" -send {${userPass}} -send \r -log_user 1 -expect eof -" >> /dev/null) -elif [[ $BUILD -ge 17 ]]; then -result=$(expect -c " -log_user 0 -spawn fdesetup changerecovery -personal -expect \"Enter the user name:\" -send {${userName}} -send \r -expect \"Enter a password for '/', or the recovery key:\" -send {${userPass}} -send \r -log_user 1 -expect eof -") -else -echo "OS version not 10.9+ or OS version unrecognized" -echo "$(/usr/bin/sw_vers -productVersion)" -exit 5 -fi -} - -successAlert () { -/usr/bin/osascript -e " -on run -display dialog \"\" & return & \"Your FileVault Key was successfully Changed\" with title \"$orgName FileVault Key Reset\" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\" -end run" -} - -errorAlert () { - /usr/bin/osascript -e " -on run -display dialog \"FileVault Key not Changed\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" -end run" - if [ "$?" == "1" ] - then -echo "User Canceled" -exit 0 -else -try=$(($try+1)) -fi -} +# INITIAL VALIDATION +## check if current user is authorized with FileVault 2 + userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'` + if [ "${userCheck}" != "${userName}" ]; then + echo "This user is not a FileVault 2 enabled user." + exit 3 + fi + +## check if encryption is complete + encryptCheck=`fdesetup status` + statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") + expectedStatus="FileVault is On." + if [ "${statusCheck}" != "${expectedStatus}" ]; then + echo "The encryption process has not completed." + echo "${encryptCheck}" + exit 4 + fi + + +# FUNCTIONS +## passwordPrompt +### get the current user's password via prompt in a pop-up window + passwordPrompt () { + # log fxn execution + echo "Prompting ${userName} for their login password." + + # generate pop-up window + userPass=$(/usr/bin/osascript -e " + on run + display dialog \"To generate a new FileVault key\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"$windowTitle\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer + set userPass to text returned of the result + return userPass + end run") + + # exit if user selected "Cancel" in pop-up window + if [ "$?" == "1" ]; then + echo "User Canceled" + exit 0 + fi + + # increment attempt counter + try=$((try+1)) + + # re-issue personal recovery key + ## the "expect" blocks populate answers for the fdesetup prompts while hiding them from output + if [[ $BUILD -ge 13 ]] && [[ $BUILD -lt 17 ]]; then + result=$(expect -c " + log_user 0 + spawn fdesetup changerecovery -personal + expect \"Enter a password for '/', or the recovery key:\" + send {${userPass}} + send \r + log_user 1 + expect eof + " >> /dev/null) + elif [[ $BUILD -ge 17 ]]; then + result=$(expect -c " + log_user 0 + spawn fdesetup changerecovery -personal + expect \"Enter the user name:\" + send {${userName}} + send \r + expect \"Enter a password for '/', or the recovery key:\" + send {${userPass}} + send \r + log_user 1 + expect eof + ") + else + echo "OS version not 10.9+ or OS version unrecognized" + echo "$(/usr/bin/sw_vers -productVersion)" + exit 5 + fi + } + +## successAlert +### display success message in a pop-up window + successAlert () { + /usr/bin/osascript -e " + on run + display dialog \"\" & return & \"Your FileVault key was successfully changed\" with title \"$windowTitle\" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\" + end run" + } + +## errorAlert +### display error message in a pop-up window + errorAlert () { + /usr/bin/osascript -e " + on run + display dialog \"FileVault key not changed\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$windowTitle\" with icon POSIX file \"$brandIcon\" + end run" + + # exit if user selected "Cancel" in pop-up window, else increment attempt counter + if [ "$?" == "1" ]; then + echo "User Canceled" + exit 0 + else + try=$(($try+1)) + fi + } -haltAlert () { -/usr/bin/osascript -e " -on run -display dialog \"FileVault Key not changed\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" -end run -" -} +## haltAlert +### display halt message in a pop-up window + haltAlert () { + /usr/bin/osascript -e " + on run + display dialog \"FileVault key not changed\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$windowTitle\" with icon POSIX file \"$brandIcon\" + end run + " + } +# MAIN while true do -passwordPrompt -if [[ $result = *"Error"* ]] -then -echo "Error Changing Key" -if [ $try -ge $maxTry ] -then -haltAlert -echo "Quitting.. Too Many failures" -exit 0 + passwordPrompt +if [[ $result = *"Error"* ]]; then + echo "Error changing key" +if [ $try -ge $maxTry ]; then + haltAlert + echo "Quitting.. too many failed attempts" + exit 0 else -echo $result -errorAlert + echo $result + errorAlert fi else -echo "Successfully Changed FV2 Key" -successAlert -exit 0 + echo "Successfully changed FV2 key" + successAlert + exit 0 fi done