Skip to content

07 FileVault Authenticated Restarts

Jump to bottom
Ayla Abbott edited this page Feb 16, 2020 · 1 revision

Authenticated Restarts Now Supported in UEX v4.1!

With the command fdesetup authrestart you can perform a restart that allows the user to reboot the computer and it will not need to unlock the disk at reboot. This can reduce the time it takes a user to get back to work and enhances the overall user experience.

From the Man Page of fdesetup

On supported hardware, fdesetup allows restart of a FileVault-enabled system without requiring unlock during the subsequent boot using the authrestart command. WARNING: FileVault protections are reduced during authenticated restarts. In particular, fdesetup deliberately stores at least one additional copy of a permanent FDE (full disk encryption) unlock key in both system memory and (on supported systems) the System Management Controller (SMC).

If FileVault is enabled on the current volume, it restarts system, bypassing the initial unlock.

How to activate this

In the script 00-uexrestartagent-jss there is a new parameter you can hard code before uploaded the script.

As of v5.0 this setting has been moved to the Jamf Interaction Configuration in 00-UEX-Jamf-Interaction-no-grep.sh

enable_filevault_reboot

Simply set this value to true and it will do the rest!

How does it work?

  • The script will check if the logged in user is authorized to unlock the disk and if the disk supports auth restart.
  • If both are true then it it will offer the user to perform an authenticate restart.
  • They have 5 mins to respond otherwise it defaults back to the normal restart method.

In order for the changes to complete you must restart your computer. Please save your work.

Would you to like enter your password to have the computer unlock the disk automatically? Note: Automatic unlock does not always occur.'

  • From there the user can click yes and will be asked to enter their password with osascript display dialog.

  • The Password is not stored anywhere, it's only used in the script as a variable

  • The it spawns the command fdesetup authrestart and inserts the value of username and password.

  • If the script is continuing then the command failed so gives a fail message.

There was error with the authorized restart. Your password may be incorrect, out of sync, or blank.

Click "Try Again" or "Cancel".

  • If they click Try Again then it will loop back for the password again.
  • If they click Cancel then it performs a normal restart.

🌈 Documentation is not my forté. If you would like to contribute please write me on MacAdmins slack @cubandave

Clone this wiki locally