Enabling FileVault is a critical step in securing macOS devices, particularly in managed environments like schools, enterprises, and remote teams. For administrators using Jamf Pro, automating this process can simplify device onboarding and ensure compliance with disk encryption policies.
One such script, Add_FV_Prompt.sh, helps automate the addition of users to FileVault by prompting for credentials via osascript and passing them to fdesetup. While it’s functional and useful in certain edge cases, there are security caveats to be aware of.
⚙️ What the Script Does
The Add_FV_Prompt.sh script enables FileVault for a target user by automating the following steps:
- Prompts the user for their username and password using
osascriptdialogs. - Prompts for the admin account’s username and password.
- Uses
expectto automate the interaction with thefdesetup addcommand, feeding in the required credentials.
🔐 osascript Prompts
The script uses two forms of AppleScript via osascript to request input:
adminName=`osascript -e 'Tell application "System Events" to display dialog "Enter your username: Your username is the first initial and last name all lowercase no spaces" default answer ""' -e 'text returned of result'`
adminPass=`osascript -e 'Tell application "System Events" to display dialog "Enter your password:" with hidden answer default answer ""' -e 'text returned of result'`
The first line prompts for the username — this is visible plaintext input, which presents less risk.
The second line prompts for the password using the with hidden answer clause — this masks input from view but does not securely handle the password:
- The value is still stored in a shell variable (
$adminPass). - It can be read from memory during execution.
- It may still show in logs or crash dumps under certain conditions.
⚠️ Hidden input in AppleScript does not equate to encryption. It is merely UI-level obfuscation.
💡 What Happens Next
After collecting the credentials, the script pipes them into fdesetup using expect automation:
expect -c "
spawn sudo fdesetup add -usertoadd $userName
expect "Enter the user name:"
send ${adminName}
expect "Enter the password for user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect eof
"
This allows non-interactive FileVault user addition, which is helpful in environments where user interaction is not ideal or available — such as lab setups or remote support sessions.
⚠️ Security Warning
While the automation is convenient, passing passwords in plain-text variables is a security risk:
- Even though the password dialog masks input, the resulting shell variable (
$adminPass,$userPass) is in memory. - On some MDM platforms like Jamf, script parameters — even hidden — can be written to log output, making them visible to admins or attackers with access.
- The
expectprocess can also expose these values in real-time if not sandboxed or locked down.
Recommendation: Only use this script in low-risk or one-off situations, such as lab environments, loaner devices, or when users are being onboarded under direct supervision.
For more secure environments, consider using Jamf’s native FileVault configuration profiles, secure tokens escrowed during DEP enrollment, or triggering fdesetup manually via Self Service with user input.
🧪 When to Use This Script
- 🔧 You need to re-enable FileVault for a user without triggering full disk decryption.
- 🧑💻 You’re working in a lab or low-security environment where credentials are temporary or non-sensitive.
- ⚠️ You understand and accept the logging risks associated with passing credentials in scripts.
📝 Final Thoughts
Scripts like Add_FV_Prompt.sh can be powerful tools in the right context — but with great power comes great responsibility. Security professionals and MacAdmins should always weigh convenience against risk.
If you choose to use this script:
- Restrict who can deploy or trigger it.
- Avoid reusing admin credentials.
- Rotate passwords after use if possible.
For a look at the script, visit the repo:
👉 Add_FV_Prompt.sh
Stay secure and script smart. 💻🔒
Ready to take your Apple IT skills and consulting career to the next level?
I’m opening up free mentorship slots to help you navigate certifications, real-world challenges, and starting your own independent consulting business.
Let’s connect and grow together — Sign up here
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.35 · Moderate AI Influence
Summary
A script to automate FileVault user addition, but with security caveats and recommendations for secure use.
Related Posts
Discovering Mole: A Command Line Utility for Mac Cleaning
Caches pile up, apps leave behind junk, and disk space slowly disappears. While there are plenty of GUI tools out there, most of them either lack transparency or feel overly bloated.
Scoring AI Influence in Jekyll Posts with Local LLMs
There’s a moment that kind of sneaks up on you when you’ve been writing for a while, especially if you’ve started using AI tools regularly. You stop asking whether AI was used at all, and instead start wondering how much it actually shaped what you’re reading. That shift is subtle, but once you notice it, you can’t really unsee it.
Automating JAMF Pro Email Notifications with SendGrid (Smart Group Driven Workflows)
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
Cleaning House in Jamf Pro: A Friendly Auditor Script for Real-World Hygiene
There’s a tipping point in every Jamf Pro environment where the policy list begins to feel like a junk drawer. Everyone means well. Nobody deletes anything. And then, months later, you’re trying to answer simple questions like: *Which policies are actually scoped? What’s no longer referenced? Why are there five versions of the same script?* This post covers a small, practical script I wrote to help you **see** what’s stale, **explain** why it’s stale, and (optionally) **park** it safely out of the way—without deleting a thing.
Turn Jamf Compliance Output into Real Audit Evidence
Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.
10 Things You Didn't Know You Could Do With Apple Configurator (That Save Mac Admins Hours)
Most of us treat Apple Configurator like a fire extinguisher: break glass, DFU, restore, move on. But it can do a lot more, and when you know the edges, you can turn a bricked morning into a ship-it afternoon. Below are ten things I regularly use (or wish I’d used sooner) that demonstrate its capabilities beyond just emergency recovery.
The Power of Scripting App Updates Without Deploying Packages
Keeping macOS environments up-to-date in a seamless, efficient, and low-maintenance way has always been a challenge for IT admins. Traditional package deployment workflows can be time-consuming, prone to versioning issues, and require extensive testing and repackaging. This can lead to frustration and wasted resources as IT teams struggle to keep pace with the latest updates and patches. But there's another way—a more elegant, nimble approach: scripting.
Detecting Invalid Characters and Long Paths in OneDrive on macOS
Microsoft OneDrive is widely used for syncing documents across devices, but on macOS, it can silently fail to sync certain files if they violate Windows filesystem rules — like overly long paths or invalid characters. This creates frustrating experiences for end users who don’t know why files aren’t syncing.
Automating Script Versioning, Releases, and ChatGPT Integration with GitHub Actions
Managing and maintaining a growing collection of scripts in a GitHub repository can quickly become cumbersome without automation. Whether you're writing bash scripts for JAMF deployments, maintenance tasks, or DevOps workflows, it's critical to keep things well-documented, consistently versioned, and easy to track over time. This includes ensuring that changes are properly recorded, dependencies are up-to-date, and the overall structure remains organized.
Leaving Flickr: Migrating 20,000+ Photos to Synology and Taking Back Control
There’s a certain kind of friction you start to notice when you’ve been using a service for a long time. Not enough to make you leave immediately, but enough to make you pause. Flickr had been that kind of service for me. It quietly held years of photos, uploads from old phones, albums I hadn’t looked at in ages, and a massive "Auto Upload" collection that had grown into something I didn’t fully understand anymore.
