Greetings! We are looking at alternative methods of checking for FileVault 2 Encryption Status of “locked” BigFix endpoints. This presents a new challenge, especially on the Mac OS X. We would like to explore this possible solution:
Checking for encryption status using the I/O Kit, where “CoreStorage Encrypted” is a Boolean value or as “Encrypted”
The goal would be write a relevance query to retrieve the value of “CoreStorage Encrypted”. We are hoping that someone can help is more versed in the Mac OS X I/O Kit’s framework, library, etc
One issue is that the relevance isn’t exactly the same for SATA drives vs PCI-Express AHCI SSDs vs PCI-Express NVMe SSDs. It will be a bit of a challenge to come up with a good way to generalize it.
This command will give you the info that needs to be queried:
ioreg -c CoreStorageLogical
This is part way there, with better generalization:
strings of values of entries whose(key of it = "Model") of dictionaries of nodes "Appl AHCI" of it) of nodes of nodes of nodes of nodes "AppleACPIPCI" of nodes whose(name of it starts with "PCI") of nodes "AppleACPIPlatformExpert" of service plane of iokit registry
The most important thing to remember when writing iokit or plist relevance is that E: The operator "string" is not defined. is a “good error”. It means you are returning results, but just results without a string representation.
If you only care about the main internal system volume, then you probably only want this data for:
"BSD Name" = "disk1"
This appears to be the answer on my system:
booleans of values of entries whose("CoreStorage Encrypted" = key of it) of dictionaries of nodes of nodes of nodes "CoreStoragePhysical" of nodes of nodes "IOGUIDPartitionScheme" of nodes of nodes "IOBlockStorageDriver" of nodes "IOAHCIBlockStorageDevice" of nodes "AppleAHCIDiskDriver" of nodes "IOAHCIDevice" of (it; nodes of nodes "AppleAHCI" of it) of nodes of nodes of nodes of nodes "AppleACPIPCI" of nodes whose(name of it starts with "PCI") of nodes "AppleACPIPlatformExpert" of service plane of iokit registry
This may not work for other systems without further generalization.
This will, MOSTLY, give the raw data:
("%22" & key of it & "%22 = " & ( (unique value of (strings of it; booleans of it as string; integers of it as string; datas of it as string; dates of it as string) of values of it)|"<unknown>"&((" "& type of value of it)|"" ) ) ) of entries of dictionaries of nodes of nodes of nodes "CoreStoragePhysical" of nodes of nodes "IOGUIDPartitionScheme" of nodes of nodes "IOBlockStorageDriver" of nodes "IOAHCIBlockStorageDevice" of nodes "AppleAHCIDiskDriver" of nodes "IOAHCIDevice" of (it; nodes of nodes "AppleAHCI" of it) of nodes of nodes of nodes of nodes "AppleACPIPCI" of nodes whose(name of it starts with "PCI") of nodes "AppleACPIPlatformExpert" of service plane of iokit registry
I can’t tell why the value for “size” doesn’t come through when it is of type integer. Definitely seems like a bug. @AlanM
This should give you the answer to if disk1only is encrypted:
booleans of values of entries whose("CoreStorage Encrypted" = key of it) of dictionaries whose( exists entries whose("BSD Name" = key of it AND "disk1" = string of value of it) of it ) of nodes of nodes of nodes "CoreStoragePhysical" of nodes of nodes "IOGUIDPartitionScheme" of nodes of nodes "IOBlockStorageDriver" of nodes "IOAHCIBlockStorageDevice" of nodes "AppleAHCIDiskDriver" of nodes "IOAHCIDevice" of (it; nodes of nodes "AppleAHCI" of it) of nodes of nodes of nodes of nodes "AppleACPIPCI" of nodes whose(name of it starts with "PCI") of nodes "AppleACPIPlatformExpert" of service plane of iokit registry