Feature Request
kylejericson opened this issue · 12 comments
Can you add this to your script, I find sometimes when using Jamf Connect that the username doesn't get pulled due to an alias. this code fixes that.
Get the logged in user's name
FAKE_USER=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}')
CURRENT_USER=$(id -un $FAKE_USER)
Could you go into more detail on the alias thing? Although this seems harmless, I'd like to be able to recreate the issue to be solved (but I don't have Jamf Connect).
@homebysix It seems with Jamf connect when you do a migrate account it just adds an alias to the account name, so when this script runs it pulls that alias instead of the actual username, and then the redirect fails.
Could you send the output of /bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}' on an affected Mac?
Will do.
Don't mean to hijack this issue, but I have also come across this:
- User who had a Macbook prior to rolling out Jamf
- User created their username as 'jenniferzhang'
- Jamf was rolled out to Mac users. Opted for self enrollment via web portal. Jamf binaries and jamf connect installed
- Upon next sign in, Jamf Connect migrates the local account because the current format (jenniferzhang) does not match what our IdP expects to see 'jzhang'. This process simply adds the 'jzhang' as an alias to the account
- User attempts to reissue filevault key, resulting in error.
I have included the output of the command you provided, and the error message I received when the user attempted to run the policy from Self Service.
`An error occurred while running the policy "Reissue FileVault Key" on the computer "jzhang-FVFYG05VHV2G".
Actions from policy log:
[STEP 1 of 5]
Executing Policy Reissue FileVault Key
[STEP 2 of 5]
Running script Reissue Filevault Recovery Key...
Script exit code: 1
Script result: [WARNING] This script has not been tested on this version of macOS. Use at your own risk.
No logo provided, or no logo exists at specified path. Using FileVault icon.
[ERROR]: jzhang is not on the list of FileVault enabled users: tamuser,034387E9-F150-41C7-AAB0-5FFC081B25F0
jenniferzhang,8BBB65A9-590B-4CB2-9B0E-886327306AA6
Error running script: return code was 1.
[STEP 3 of 5]
[STEP 4 of 5]
Inventory will be updated when all queued actions in Self Service are complete.
[STEP 5 of 5]
The complete policy log is available in the JSS at:
link to policy log
Computer Info:
ID:
IP Address:
Serial Number:
`
Hi - is there any update to this? My user is still unable to run our filevault-reissue policy. Hoping you have time to review my previous comment
@regorian - I think your issue falls outside the scope of this script. The current user must be on the list of users you see when you run sudo fdesetup list in order for the subsequent sudo fdesetup changerecovery -personal command to succeed. I might suggest that you contact Jamf to see whether Jamf Connect might be altering the user's shortname in a way that is incompatible with existing FileVault authorization.
@regorian easy fix find the current user line in the script and add this.
FAKE_USER=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}')
CURRENT_USER=$(id -un $FAKE_USER)
I think I’ll release this script in a Jamf Connect mode so others don’t have this issue.
Here is a forked fixed script.
@regorian
https://github.com/kylejericson/jss-filevault-reissue/blob/jamfconnect/reissue_filevault_recovery_key.sh
@regorian - Could you try Kyle's modified script above? If it works for you, I can merge the changes into the main script.
@homebysix We recently used the script with Kyle's modification in a setting with some 100 Monterey clients, and it worked like a charm. So thumbs up for the modification, and for Monterey compatibility.
A little context: You wrote above that you weren't sure this issue was within the scope of this script. I get where you're coming from — I couldn't quite believe it when I was first made aware of this.
When Jamf Connect is rolled out on Macs with existing accounts, those accounts don't have their account names changed. Instead, Jamf Connect adds an alias. In effect, those accounts then have two different names. Depending on which method you use to query the account name, you get one or the other. And depending on where you intend to use that account name, you may get the wrong one. That is exactly the issue here: Your original script asked which user is currently logged in. With Jamf Connect handling the logins, that gives you the alias. But since the FileVault encryption was enabled before that alias was added, that's not in the list of FileVault enabled users. You need the name that account has in the local database. This is what Kyle's modification does.