jamf 重新生成 个人恢复密钥详解 通义千问 chatgpt 有大用

#!/bin/bash #################################################################################################### # # Copyright (c) 2017, JAMF Software, LLC.  All rights reserved. # #       Redistribution and use in source and binary forms, with or without #       modification, are permitted provided that the following conditions are met: #               * Redistributions of source code must retain the above copyright #                 notice, this list of conditions and the following disclaimer. #               * Redistributions in binary form must reproduce the above copyright #                 notice, this list of conditions and the following disclaimer in the #                 documentation and/or other materials provided with the distribution. #               * Neither the name of the JAMF Software, LLC nor the #                 names of its contributors may be used to endorse or promote products #                 derived from this software without specific prior written permission. # #       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY #       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED #       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE #       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY #       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES #       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND #       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS #       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #################################################################################################### # # Description # # The purpose of this script is to allow a new individual recovery key to be issued # if the current key is invalid and the management account is not enabled for FV2, # or if the machine was encrypted outside of the JSS. # # First put a configuration profile for FV2 recovery key redirection in place. # Ensure keys are being redirected to your JSS. # # This script will prompt the user for their password so a new FV2 individual # recovery key can be issued and redirected to the JSS. # #################################################################################################### # # HISTORY # # -Created by Sam Fortuna on Sept. 5, 2014 # -Updated by Sam Fortuna on Nov. 18, 2014 # -Added support for 10.10 #   -Updated by Sam Fortuna on June 23, 2015 #       -Properly escapes special characters in user passwords # -Updated by Bram Cohen on May 27, 2016 # -Pipe FV key and password to /dev/null # -Updated by Jordan Wisniewski on Dec 5, 2016 # -Removed quotes for 'send {${userPass}}     ' so # passwords with spaces work. # -Updated by Shane Brown/Kylie Bareis on Aug 29, 2017 # - Fixed an issue with usernames that contain # sub-string matches of each other. # -Updated by Bram Cohen on Jan 3, 2018 # - 10.13 adds a new prompt for username before password in changerecovery # -Updated by Matt Boyle on July 6, 2018 # - Error handeling, custom Window Lables, Messages and FV2 Icon # -Updated by David Raabe on July 26, 2018 # - Added Custom Branding to pop up windows # -Updated by Sebastien Del Saz Alvarez on January 22, 2021 # -Changed OS variable and relevant if statements to use OS Build rather than OS Version to avoid errors in Big Sur #################################################################################################### # # Parameter 4 = Set organization name in pop up window # Parameter 5 = Failed Attempts until Stop # Parameter 6 = Custom text for contact information. # Parameter 7 = Custom Branding - Defaults to Self Service Icon #Customizing Window selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns" fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns" if [ ! -z "$4" ] then orgName="$4 -" fi if [ ! -z "$6" ] then haltMsg="$6" else haltMsg="Please Contact IT for Further assistance." fi if [[ ! -z "$7" ]]; then brandIcon="$7" elif [[ -f $selfServiceBrandIcon ]]; then  brandIcon=$selfServiceBrandIcon elif [[ -f $jamfBrandIcon ]]; then  brandIcon=$jamfBrandIcon else brandIcon=$fileVaultIcon fi ## Get the logged in user's name userName=$(/usr/bin/stat -f%Su /dev/console) ## Grab the UUID of the User userNameUUID=$(dscl . -read /Users/$userName/ GeneratedUID | awk '{print $2}') ## Get the OS build BUILD=`/usr/bin/sw_vers -buildVersion | awk {'print substr ($0,0,2)'}` ## This first user check sees if the logged in account is already authorized with FileVault 2 userCheck=`fdesetup list | awk -v usrN="$userNameUUID" -F, 'match($0, usrN) {print $1}'` if [ "${userCheck}" != "${userName}" ]; then echo "This user is not a FileVault 2 enabled user." exit 3 fi ## Counter for Attempts try=0 if [ ! -z "$5" ] then maxTry=$5 else maxTry=2 fi ## Check to see if the encryption process is complete encryptCheck=`fdesetup status` statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.") expectedStatus="FileVault is On." if [ "${statusCheck}" != "${expectedStatus}" ]; then echo "The encryption process has not completed." echo "${encryptCheck}" exit 4 fi passwordPrompt () { ## Get the logged in user's password via a prompt echo "Prompting ${userName} for their login password." userPass=$(/usr/bin/osascript -e " on run display dialog \"To generate a new FileVault key\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"$orgName FileVault Key Reset\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer set userPass to text returned of the result return userPass end run") if [ "$?" == "1" ] then echo "User Canceled" exit 0 fi try=$((try+1)) if [[ $BUILD -ge 13 ]] &&  [[ $BUILD -lt 17 ]]; then ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \"Enter a password for '/', or the recovery key:\" send {${userPass}}   send \r log_user 1 expect eof " >> /dev/null) elif [[ $BUILD -ge 17 ]]; then result=$(expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \"Enter the user name:\" send {${userName}}   send \r expect \"Enter a password for '/', or the recovery key:\" send {${userPass}}   send \r log_user 1 expect eof ") else echo "OS version not 10.9+ or OS version unrecognized" echo "$(/usr/bin/sw_vers -productVersion)" exit 5 fi } successAlert () { /usr/bin/osascript -e " on run display dialog \"\" & return & \"Your FileVault Key was successfully Changed\" with title \"$orgName FileVault Key Reset\" buttons {\"Close\"} default button 1 with icon POSIX file \"$brandIcon\" end run" } errorAlert () { /usr/bin/osascript -e " on run display dialog \"FileVault Key not Changed\" & return & \"$result\" buttons {\"Cancel\", \"Try Again\"} default button 2 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" end run" if [ "$?" == "1" ]  then echo "User Canceled" exit 0 else try=$(($try+1)) fi } haltAlert () { /usr/bin/osascript -e " on run display dialog \"FileVault Key not changed\" & return & \"$haltMsg\" buttons {\"Close\"} default button 1 with title \"$orgName FileVault Key Reset\" with icon POSIX file \"$brandIcon\" end run " } while true do passwordPrompt if [[ $result = *"Error"* ]] then echo "Error Changing Key" if [ $try -ge $maxTry ] then haltAlert echo "Quitting.. Too Many failures" exit 0 else echo $result errorAlert fi else echo "Successfully Changed FV2 Key" successAlert exit 0 fi done

这个脚本是一个用于 macOS 系统的 Bash 脚本，主要功能是在用户的 FileVault 2 恢复密钥无效或管理账户未启用的情况下，允许为用户生成一个新的个人恢复密钥。该脚本通过与用户交互，请求其登录密码，然后使用 fdesetup 命令来更改恢复密钥，并将新的密钥重定向到 JSS（JAMF Pro Server）。此外，脚本还提供了一些定制化的窗口和消息，以提高用户体验。

以下是脚本的主要组成部分和流程：

参数定义

• Parameter 4: 组织名称，用于弹出窗口的标题。

• Parameter 5: 失败尝试次数上限，超过此次数将停止尝试。

• Parameter 6: 自定义联系信息文本。

• Parameter 7: 自定义品牌图标路径，默认使用 JSS 图标。

主要变量

• selfServiceBrandIcon: 自定义品牌图标路径。

• jamfBrandIcon: JAMF 应用程序图标路径。

• fileVaultIcon: macOS 系统自带的 FileVault 图标路径。

• orgName: 组织名称。

• haltMsg: 超过最大尝试次数后的提示信息。

• brandIcon: 最终使用的品牌图标。

主要逻辑

1. 获取当前登录用户名和 UUID。

2. 检查用户是否已启用 FileVault 2。

3. 检查加密过程是否完成。

4. 提示用户输入密码：

• 使用 AppleScript 显示一个对话框，要求用户输入密码。

• 根据不同的 macOS 版本，使用 expect 命令自动处理 fdesetup changerecovery -personal 命令的交互。

• 如果成功更改密钥，显示成功消息。

• 如果失败，显示错误消息，并允许用户再次尝试。

• 如果超过最大尝试次数，显示最终错误消息并退出。

脚本结构

• 初始化变量：读取参数，设置默认值。

• 检查用户状态：确保用户已启用 FileVault 2 且加密已完成。

• 密码提示函数：显示对话框，获取用户密码。

• 成功提示函数：显示成功消息。

• 错误提示函数：显示错误消息，允许用户再次尝试。

• 停止提示函数：显示最终错误消息，停止尝试。

• 主循环：不断尝试更改密钥，直到成功或达到最大尝试次数。

使用方法

1. 保存脚本：将脚本保存为一个 .sh 文件。

2. 设置可执行权限：使用 chmod +x scriptname.sh 命令。

3. 运行脚本：在终端中运行 ./scriptname.sh。

注意事项

• 安全性：脚本会处理用户的密码，因此请确保在安全的环境中运行。

• 依赖项：脚本依赖于 expect 和 osascript 工具，确保这些工具已安装。

• 定制化：根据实际需求调整脚本中的参数和路径。

如果你有任何具体的问题或需要进一步的帮助，请告诉我！

log_user 1 什么意思

在 expect 脚本中，log_user 是一个控制输出的命令。它的作用是决定是否将 expect 脚本中的命令和响应输出到标准输出（通常是终端）。

log_user 的用法

• log_user 0：关闭输出，即不显示 expect 脚本中的命令和响应。

• log_user 1：开启输出，即显示 expect 脚本中的命令和响应。

示例解释

在你的脚本中，log_user 被用来控制 expect 脚本的输出：

expect
深色版本
log_user 0
spawn fdesetup changerecovery -personal
expect "Enter a password for '/', or the recovery key:"
send {${userPass}}   
send \r
log_user 1
expect eof

详细解释

1. log_user 0：

• 关闭输出，这样在执行 fdesetup 命令及其交互过程中，不会将这些命令和响应显示在终端上。这通常用于隐藏敏感信息，比如密码。

• 启动 fdesetup changerecovery -personal 命令，这是一个用于更改 FileVault 2 个人恢复密钥的命令。

• 等待 fdesetup 命令提示输入密码。

• 发送用户输入的密码。

• 发送回车键，确认输入。

• 重新开启输出，这样后续的命令和响应会被显示在终端上。

• 等待命令执行完毕，直到到达文件结束（EOF）。

为什么使用 log_user 0 和 log_user 1？

• 安全性：在输入敏感信息（如密码）时，关闭输出可以防止这些信息被意外显示在终端上，从而增加安全性。

• 调试：在输入敏感信息之后，重新开启输出可以帮助调试后续的命令和响应，确保脚本按预期工作。

总结

log_user 0 和 log_user 1 是 expect 脚本中常用的命令，用于控制输出的显示。在处理敏感信息时，关闭输出可以提高安全性，而在需要调试时，重新开启输出可以帮助诊断问题。