Macintosh FileVault

Content Authoring
1

(imported topic written by SystemAdmin)

We have a requirement to determine if FileVault is enabled for users on our Macintosh devices.

The logic we are using is if a

username.sparsebundle

file exists in a user folder, then FileVault is enabled for that user.

This is the relevance for the analysis we have put together:

IF (exists (folders of folder "/Users") whose (exists file whose (name of it as lowercase contains "sparsebundle") of it)) THEN (pathname of (folders of folder "/Users") whose (exists file whose (name of it as lowercase contains "sparsebundle") of it)) ELSE ("No sparsebundle in subfolders of /Users")

So, if any file in a user folder contains “sparsebundle” it returns the path of the user folder.

Using QnA on a Mac device, this relevance successfully locates dummy files that have “sparsebundle” somewhere in the file name.

It does not locate actual

username.sparsebundle

files. We assumed this was because QnA is not running as root.

Deploying the analysis also does not return the expected result.

If anyone else has tackled this issue, or if something is just flat-out wrong with our relevance, any assistance would be greatly appreciated.

2

(imported comment written by SystemAdmin)

With OS X 10.7 Lion you can run the command

diskutil coreStorage list

If you capture this to a file (once a day?), you can use the file contents to determine encryption status.

3

(imported comment written by SystemAdmin)

Thanks. Our Mac Admins indicate that we need information for hosts older than 10.7.x.

Our analysis is returning hits on dummy files in user folders - “sparsebundle.txt”

At this point, I’m curious whether the BigFix client can see the

username.sparsebundle

file, or if the item is actually a “file”.

Either could explain why “exists file” wouldn’t work.

4

(imported comment written by SystemAdmin)

“bundes” on Mac OS X are in fact folders. Here is the relevance I use to detect them:

folders whose (name of it contains “.sparsebundle”) of folders of folder “/Users”

5

(imported comment written by SystemAdmin)

This appears to have resolved the issue.

Sparsebundles are folders.