Your opinion please:
At my company all the Mac's have FileVault 2. Because of this we run into some issues. Especially with remote troubleshooting. When a user is unable to login (for whatever reason) it's impossible to remote control the Mac in any way (ARD, VNC, SSH). Also if you want to add a user you run into the same problem.
I made a login script (loginhook) that solves this issue. I have tested it and it works. But just to be sure I would like your opinion about this solution.
This is how it works:
1. Create a local account and give it a random name. In this example I call it "MyCompanyName". Give this local account a random password.
2. Create a login script that does the following:
- clear loginwindow text:
- read out all FileVault users and set it to a variable:
- check if the user that tries to login is "MyCompanyName". If so then DIRECTLY log out:
- check if the user that tries to login is root. If so then continue logging in:
- check if the user that tries to login is "admin". If so then continue logging in:
- check if the user that tries to login is a FileVault member. If so then continue logging in:
- if none of the above checks is true then set the loginwindow text to "This account is not added to FileVault. Please call support at: 5555". Then directly logout.:
With this script it's possible to troubleshoot a user who can't login. Just ask the user to click on the account "MyCompanyName". Let them type in the password. The Mac tries to log in and then directly logs out. The user doesn't even see the Desktop of "MyCompanyName". It directly goes to the regular login window. Now it's possible for the Admin to take over and do whatever they need. If for some reason a "new" user tries to login his account will be created but he will be redirected to the loginwindow. Here he/she will see the message that the account needs to be added to FileVault. This way the Admins keep control of who logs in on any given machine.
For extra security it is possible to give the account "MyCompanyName" a unique password like the MAC address or something. Also for security reasons you can restrict this account with parental control.
What's your opinion on this method. Maybe I'm missing some important details or creating security holes. In my opinion it's pretty secure and it will save a lot of time and annoyance for both the user and the admins. Also I'm not a pro in scripting (still learning) so there are probably some imperfections in the script.
Thanks!
Here is the full script:
At my company all the Mac's have FileVault 2. Because of this we run into some issues. Especially with remote troubleshooting. When a user is unable to login (for whatever reason) it's impossible to remote control the Mac in any way (ARD, VNC, SSH). Also if you want to add a user you run into the same problem.
I made a login script (loginhook) that solves this issue. I have tested it and it works. But just to be sure I would like your opinion about this solution.
This is how it works:
1. Create a local account and give it a random name. In this example I call it "MyCompanyName". Give this local account a random password.
2. Create a login script that does the following:
- clear loginwindow text:
Code:
defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText ""
Code:
FilevaultList=`fdesetup list`
Code:
if [ $1 = "MyCompanyName" ]; then
KillAll loginwindow
Code:
elif [[ $1 == [Rr][Oo][Oo][Tt] ]]; then
:
Code:
elif [[ $1 == [Aa][Dd][Mm][Ii][Nn] ]]; then
:
Code:
elif grep -Fiq $1 <<< "$FilevaultList"; then
:
Code:
else
defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "The account $1 is not added to FileVault. \n Please call support at: 5555"
KillAll loginwindow
fiWith this script it's possible to troubleshoot a user who can't login. Just ask the user to click on the account "MyCompanyName". Let them type in the password. The Mac tries to log in and then directly logs out. The user doesn't even see the Desktop of "MyCompanyName". It directly goes to the regular login window. Now it's possible for the Admin to take over and do whatever they need. If for some reason a "new" user tries to login his account will be created but he will be redirected to the loginwindow. Here he/she will see the message that the account needs to be added to FileVault. This way the Admins keep control of who logs in on any given machine.
For extra security it is possible to give the account "MyCompanyName" a unique password like the MAC address or something. Also for security reasons you can restrict this account with parental control.
What's your opinion on this method. Maybe I'm missing some important details or creating security holes. In my opinion it's pretty secure and it will save a lot of time and annoyance for both the user and the admins. Also I'm not a pro in scripting (still learning) so there are probably some imperfections in the script.
Thanks!
Here is the full script:
Code:
#!/bin/bash
defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText ""
FilevaultList=`fdesetup list`
if [ $1 = "MyCompanyName" ]; then
KillAll loginwindow
elif [[ $1 == [Rr][Oo][Oo][Tt] ]]; then
:
elif [[ $1 == [Aa][Dd][Mm][Ii][Nn] ]]; then
:
elif grep -Fiq $1 <<< "$FilevaultList"; then
:
else
defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "The account $1 is not added to FileVault. \n Please call support at: 5555"
KillAll loginwindow
fi