Enable FileVault via bootstrapped Munki

[Matter]

I'm not sure if this is a MunkiReport or a Munki issue.

I use DeployStudio for image deployment, also a script in DeployStudio bootstraps Munki. So when imaging is ready the machine reboots and directly Managed Software Update runs (during loginwindow). One of the packages that is installed should enable FileVault and uploads the key to MunkiReport.

This works great if:

- a user logs in and runs Managed Software Update

- the package is installed manually

- managed software update is run via ssh (also during loginwindow)

Unfortunately it fails when the package is installed when Munki is bootstrapped. The package is installed but FileVault is not enabled. The strange thing is that a FileVault key is generated and uploaded to MunkiReport. When I look in the package log file I see some errors:

***** FileVault Kickoff Script | Escrows FileVault Data to MunkiReport PHP 2 *****

FileVault 2 Encryption Not Yet Enabled

==== EFILoginCopyUserGraphics ===

Please reboot to complete the process.

Submitting FileVault Escrow Report

    Munkireport: # Executing scripts in postflight.d

    Munkireport: Running inventory_add_plugins.py

    Munkireport: inventory_add_plugins.py Error: Traceback (most recent call last):

  File "/usr/local/munki/postflight.d/inventory_add_plugins.py", line 18, in <module>

    appinv = FoundationPlist.readPlist(invPath)

  File "/usr/local/munki/munkilib/FoundationPlist.py", line 70, in readPlist

    raise NSPropertyListSerializationException(errmsg)

munkilib.FoundationPlist.NSPropertyListSerializationException: stream had too few bytes in file /Library/Managed Installs/ApplicationInventory.plist

WARNING: Munkireport: inventory_add_plugins.py return code: 1

    Munkireport: Requesting ard_model

    Munkireport: Requesting installhistory

    Munkireport: Requesting filevault_status

    Munkireport: Requesting filevault_escrow

    Munkireport: Requesting munkireport

    Munkireport: Requesting displays_info

    Munkireport: Requesting inventory

    Munkireport: Requesting disk_report

    Munkireport: Requesting warranty

    Munkireport: Requesting localadmin

    Munkireport: Requesting directory_service

    Munkireport: Requesting network

    Munkireport: Requesting bluetooth

    Munkireport: Need to update warranty

    Munkireport: Need to update installhistory

    Munkireport: Need to update reportdata

    Munkireport: Need to update disk_report

    Munkireport: Need to update ard_model

    Munkireport: Need to update munkireport

    Munkireport: Need to update filevault_escrow

    Munkireport: Need to update inventory

WARNING: Munkireport: Can't open /Library/Managed Installs/ApplicationInventory.plist

    Munkireport: Sending items

    Munkireport: Server info: starting: warranty

Server info: warranty: current status: Unregistered serialnumber

Server info: warranty: new status: Unregistered serialnumber

Server info: starting: installhistory

Server info: starting: reportdata

Server info: starting: disk_report

Server info: starting: ard_model

Server info: starting: munkireport

Server info: starting: filevault_escrow

Please confirm the Recovery Key is on the MunkiReport server and then reboot to complete the process.

Any thoughts on this?

[Gregory Neagle]

Doesn't look like a Munki _or_ a MunkiReport issue, but rather an issue with your script.

-Greg

--
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matter]

Maybe, but the script works fine in any other condition. I've been using it for a long time via Munki. I did some more troubleshooting and it seems to help to do an additional reboot after the first boot. I think MunkiReport has to run at least on time before enabling FileVault.

Op donderdag 26 februari 2015 03:37:46 UTC+1 schreef gregn...@mac.com:

[Gregory Neagle]

On Feb 26, 2015, at 7:35 AM, Matter <matti...@gmail.com> wrote:

Maybe, but the script works fine in any other condition.

Which implies there may be conditions your script is not handling. Since we haven't seen the script, your script is the unknown quantity here, so we can't eliminate it as the source of your issue.

I've been using it for a long time via Munki. I did some more troubleshooting and it seems to help to do an additional reboot after the first boot. I think MunkiReport has to run at least on time before enabling FileVault.

MunkiReport doesn't enable FileVault...

[A.E. van Bochoven]

I believe you're using this script:

https://github.com/munkireport/munkireport-php/blob/master/app/modules/filevault_escrow/script/Sample%20FileVault2%20Kickoff%20Script.sh

which was written by gmarnin.

I think you should take this issue to munki...@googlegroups.com or file a bug report at the munkireport github repo.

-Arjen

[Matter]

Sorry guys,

I should have mentioned that I'm using that script. I'll take it to the munki report group.

Thanks!

Op donderdag 26 februari 2015 18:17:49 UTC+1 schreef Arjen van Bochoven: