A challenge many Mac admins have been dealing with is the introduction of the Secure Token attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume.
In my own shop, we wanted to be able to identify if the primary user of a Mac had a Secure Token associated with their account. The reason we did this was:
- We could alert the affected help desk staff.
- We could work with our users to rebuild their Macs on an agreed-upon schedule where their data was preserved.
- We could hopefully avoid working with our users on an emergency basis where their data could be lost.
To help with this, we developed a detection script. For more details, please see below the jump.
This script checks for the following:
- If the Mac is running 10.13.x or later.
- If the boot drive is using Apple File System (APFS) for its filesystem.
- If FileVault is enabled or not.
If the Mac passes the following checks:
- Running 10.13.0 or later
- The boot drive is using APFS
- FileVault is enabled
Then the following action takes place:
- The logged-in user is checked to see if it can be determined.
- If it can be determined and it is not the root user, the sysadminctl tool is used to check to see if the account has the Secure Token attribute associated with it.
If the logged-in user account should have a Secure Token attribute associated with it and does not, the script will report the following:
1
Any other outcome, the script will report the following:
0
The script is available below, and at the following address on GitHub:
A complementary Jamf Pro Extension Attribute is available at the following address on GitHub: