Fixlet | Check FileVault2 Status for Mac OS X 10.7/10.8 without PGP installed.

Description

This task uses a script found on the Internet to check the status of FileVault2 encryption on Mac laptops.

The results of the check are stored in a client setting "_FileVault2". The original script was derived from the FileVault 2 encryption status check script from http://derflounder.wordpress.com/2011/10/13/filevault-2-encryption-status-check-script/

Because of the potential impact to performance, I only execute this Task once every 6 hours. This was deemed frequent enough to appropriately record the encryption status, but not so frequent that it adversely impacted overall performance of the targeted computers or their Agents.

Property Details

ID	2569
Status	QA - Ready for Production Level Testing
Title	Check FileVault2 Status for Mac OS X 10.7/10.8 without PGP installed.
Category	ENCRYPTION STATUS
Source	Internal
Source Release Date	8/7/2013 12:00:00 AM
Keywords	FileVault FileVault2 Macintosh Encryption
Added by	Tim.Rice on 8/19/2013 11:08:07 AM
Last Modified by	Tim.Rice on 8/19/2013 11:17:29 AM
Counters	8075 Views / 49 Downloads
User Rating	* Average over 1 rating. ** Log In or Register to add your rating.

Relevance

Relevance 2997154

Used in 1 fixlet

* Results in a true/false

(operating system as string starts with "Mac OS X 10.7.") or (operating system as string starts with "Mac OS X 10.8.")

Relevance 2997155

Used in 1 fixlet

* Results in a true/false

not exists application whose (name of it as lowercase = "pgp.app")

Relevance 2997156

Used in 1 fixlet

* Results in a true/false

if ((exists key whose (it as string as lowercase contains "battery") of entries of dictionaries of nodes of it) or (exists node "AppleACPIPlatformExpert/SMB0/AppleECSMBusController/AppleSmartBatteryManager" of service plane of iokit registry) of it) of service plane of iokit registry then TRUE else FALSE

Actions

Action 1 (default)

Action Link Click here to deploy this action.

Script Type BigFix Action Script

delete __createfile
createfile until ##END##
#!/bin/sh

CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"

# Get number of CoreStorage devices. The egrep pattern used later in the script
# uses this information to only report on the first encrypted drive, which should
# be the boot drive.
#
# Credit to Mike Osterman for identifying this problem in the original version of
# the script and finding a fix for it.
#

DEVICE_COUNT=`diskutil cs list | grep -E "^CoreStorage logical volume groups" | awk '{{print $5}' | sed -e's/(//'`

EGREP_STRING=""
if [ "$DEVICE_COUNT" != "1" ]; then
EGREP_STRING="^\| *"
fi

osversionlong=`sw_vers -productVersion`
osvers=${{osversionlong:3:1}
CONTEXT=`diskutil cs list | grep -E "$EGREP_STRING\Encryption Context" | sed -e's/\|//' | awk '{{print $3}'`
ENCRYPTIONEXTENTS=`diskutil cs list | grep -E "$EGREP_STRING\Has Encrypted Extents" | sed -e's/\|//' | awk '{{print $4}'`
ENCRYPTION=`diskutil cs list | grep -E "$EGREP_STRING\Encryption Type" | sed -e's/\|//' | awk '{{print $3}'`
CONVERTED=`diskutil cs list | grep -E "$EGREP_STRING\Size \(Converted\)" | sed -e's/\|//' | awk '{{print $5, $6}'`
SIZE=`diskutil cs list | grep -E "$EGREP_STRING\Size \(Total\)" | sed -e's/\|//' | awk '{{print $5, $6}'`

# Checks to see if the OS on the Mac is 10.7 or 10.8.
# If it is not, the following message is displayed without quotes:
# "FileVault 2 Encryption Not Available For This Version Of Mac OS X"

if [[ ${{osvers} -lt 7 ]]; then
echo "FileVault 2 Encryption Not Available For This Version Of Mac OS X" > /private/tmp/filevault2-status.txt
fi



if [[ ${{osvers} -ge 7 ]]; then
diskutil cs list >> $CORESTORAGESTATUS

# If the Mac is running 10.7 or 10.8, but does not have
# any CoreStorage volumes, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Not Enabled"

if grep -iE 'No CoreStorage' $CORESTORAGESTATUS 1>/dev/null; then
echo "FileVault 2 Encryption Not Enabled" > /private/tmp/filevault2-status.txt
fi

# If the Mac is running 10.7 or 10.8 and has CoreStorage volumes,
# the script then checks to see if the machine is encrypted,
# encrypting, or decrypting.
#
# If encrypted, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Complete"
#
# If encrypting, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Proceeding."
# How much has been encrypted of of the total
# amount of space is also displayed. If the
# amount of encryption is for some reason not
# known, the following message is
# displayed without quotes:
# "FileVault 2 Encryption Status Unknown. Please check."
#
# If decrypting, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Proceeding"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If fully decrypted, the following message is
# displayed without quotes:
# "FileVault 2 Decryption Complete"
#

if grep -iE 'Logical Volume Family' $CORESTORAGESTATUS 1>/dev/null; then

# This section does 10.7-specific checking of the Mac's
# FileVault 2 status

if [ "$CONTEXT" = "Present" ]; then
if [ "$ENCRYPTION" = "AES-XTS" ]; then
diskutil cs list | grep -E "$EGREP_STRING\Conversion Status" | sed -e's/\|//' | awk '{{print $3}' >> $ENCRYPTSTATUS
if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then
echo "FileVault 2 Encryption Complete" > /private/tmp/filevault2-status.txt
else
if grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list | grep -E "$EGREP_STRING\Conversion Direction" | sed -e's/\|//' | awk '{{print $3}' >> $ENCRYPTDIRECTION
if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted" > /private/tmp/filevault2-status.txt
else
echo "FileVault 2 Encryption Status Unknown. Please check." > /private/tmp/filevault2-status.txt
fi
fi
fi
else
if [ "$ENCRYPTION" = "None" ]; then
diskutil cs list | grep -E "$EGREP_STRING\Conversion Direction" | sed -e's/\|//' | awk '{{print $3}' >> $ENCRYPTDIRECTION
if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted" > /private/tmp/filevault2-status.txt
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "FileVault 2 Decryption Completed" > /private/tmp/filevault2-status.txt
fi
fi
fi
fi
fi
fi
# This section does 10.8-specific checking of the Mac's
# FileVault 2 status

if [ "$ENCRYPTIONEXTENTS" = "Yes" ]; then
diskutil cs list | grep -E "$EGREP_STRING\Fully Secure" | sed -e's/\|//' | awk '{{print $3}' >> $ENCRYPTSTATUS
if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then
echo "FileVault 2 Encryption Complete" > /private/tmp/filevault2-status.txt
else
if grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
diskutil cs list | grep -E "$EGREP_STRING\Conversion Direction" | sed -e's/\|//' | awk '{{print $3}' >> $ENCRYPTDIRECTION
if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted" > /private/tmp/filevault2-status.txt

else
if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
echo "FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted" > /private/tmp/filevault2-status.txt
elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
echo "FileVault 2 Decryption Completed" > /private/tmp/filevault2-status.txt
fi
fi
fi
fi
fi
if [ "$ENCRYPTIONEXTENTS" = "No" ]; then
echo "FileVault 2 Encryption Not Enabled" > /private/tmp/filevault2-status.txt
fi

# Remove the temp files created during the script

if [ -f /private/tmp/corestorage.txt ]; then
rm /private/tmp/corestorage.txt
fi

if [ -f /private/tmp/encrypt_status.txt ]; then
rm /private/tmp/encrypt_status.txt
fi

if [ -f /private/tmp/encrypt_direction.txt ]; then
rm /private/tmp/encrypt_direction.txt
fi
##END##

delete filevault2.sh
move __createfile filevault2.sh
// if {not exists folder "/TEM-Data"}
// folder create "/TEM-Data"
// endif
// wait /bin/sh -C filevault2.sh > "{parent folder of data folder of client}/filevault2-status.txt"
// wait /bin/sh -C filevault2.sh >> /private/tmp/filevault2-status.txt
wait /bin/sh filevault2.sh
if {exists file "filevault2-status.txt" of folder "/private/tmp"}
setting "_FileVault2"="{lines of file "filevault2-status.txt" of folder "/private/tmp"}" on "{now}" for client
else
setting "_FileVault2"="FAILED" on "{now}" for client
endif

Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to visit the Home Page the script originates from.

Script Type URL

http://derflounder.wordpress.com/2011/10/13/filevault-2-encryption-status-check-script/

Sharing

Comments

	BrianCanFixIT - 7/25/2014 11:49:24 PM
	Awesome. Works for 10.9 too. Will test on 10.10 soon too.

Search for:	Relevance	Fixlets/Tasks
	Analyses	BFI Signatures
	Dashboard/Wizard

Title	Keywords	Description
Relevance	Domain	ActionScript
Mime	Signature Content	(clear all)


Content Search Share Learn Projects	Utilities View SCM Scripts Base64 Converter Shell to Action Script	About About Us Tour FAQ Terms Contact Us	BigFix Resources Download BigFix Support Forum Github/Bigfix

Check FileVault2 Status for Mac OS X 10.7/10.8 without PGP installed. Log In or Register to download the BES file, and more.

Description

Property Details

Relevance

Actions

Action 1 (default)

Action 2

Sharing

Comments

Content

Utilities

About

BigFix Resources

Check FileVault2 Status for Mac OS X 10.7/10.8 without PGP installed.
Log In or Register to download the BES file, and more.