UoE-macOS/jss

Does this still work in 10.13.3?

kyleericson opened this issue · 1 comments

Do you have a guide on how to add this to JAMF?

(for reference, I think you're talking about https://github.com/UoE-macOS/jss/blob/master/coreconfig-filevault-add-mgmt-acct.sh)

Hi - I don't think it works in 10.13.3. On my list to look at soon!

To add it to the JSS, we have it scoped to smart group which identifies machines which:

  • Have filevault enabled
  • Do not have a valid recovery key
  • The management account is not a filevault-enabled user

It's then set to run at login (and, I think, a regular interval) for these machines. Because the script needs to know the management account password (and ours is normally randomised), we have a policy scoped to the same smartgroup which changes the management password to something we know. The script is then set up with 2 arguments in the JSS, which are passed in as the management user and password.

As soon as the script runs successfully, the machine will fall out of the above smart group, and the management account password will be randomised again. It's a bit of a kludge, but it's a necessary evil.