Remotely rebooting and restoring access to a FileVault protected Mac via Mosyle MDM

Let me preface this post with a disclaimer: THIS IS PROBABLY A BAD IDEA!

However, there are times when you might need to remotely reboot a FileVault protected Mac via the Mosyle admin interface. A typical example for me is that I’ll be doing maintenance on a remote Mac after office hours, and the Jump Desktop Connect daemon on the system will inexplicably die and refuses to restart, even after trying to revive it via Mosyle Custom Commands.

Restarting the system usually clears up the problem. But if you just issue a “Restart” command to the machine via Mosyle, you won’t be able to control the machine again until someone logs in to the machine via a physical keyboard at the FileVault boot screen. Which, needless to say, is a problem if I need to do any work on a Mac when nobody is in the office.

You can, of course, use the fdesetup authrestart command in Terminal to reboot the system and bypass the FileVault login screen. But the catch is, the command prompts for a username and password, which you obviously cannot supply from the Mosyle Custom Command interface.

Fortunately, you can also feed credentials to the command via a .plist file that contains the username and password:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

You can save this out as a .plist file, then feed it to the authrestart command:

fdesetup authrestart -inputplist < authrestart.plist

But how do you get the .plist file onto the target machine? In Mosyle, the simplest method I’ve found is to use a package installer to remotely deploy the file to a secure folder on the target system.

Upload the .pkg file to your Mosyle CDN, then create an Install PKG profile for it.

Assign the Profile to the target device, then click “Save” to install the .pkg.

Create a Custom Command with the fdesetup authrestart -inputplist < authrestart.plist syntax (making sure to specify the exact path to the installed .plist file). Change the Execute command option in the Execution Settings tab to “Only when saving the profile”.

When you click “Save”, the command will be run, and the system should reboot back into the user account specified in the .plist file.

This all works great when you can’t get hands-on with the actual device. But it should now be obvious why I said that this might be a “bad” idea. Because these files contain the account password in plaintext, you need to remember to delete both the .plist file from the system, as well as the .pkg installer from the Mosyle CDN after you’re done!

It would also probably be a best practice to install the .plist file to a hidden admin account, rather than the active user’s account.