#!/bin/bash

#  It is recommended to test the script on a local machine for its purpose and effects.
#  ManageEngine Desktop Central will not be responsible for any
#  damage/loss to the data/setup based on the behavior of the script.
#  Description - Script to check encryption status
#  Configuration  - COMPUTER

# Determine OS version
# Save current IFS state

OLDIFS=$IFS

IFS='.' read osvers_major osvers_minor osvers_dot_version <<< "$(/usr/bin/sw_vers -productVersion)"

# restore IFS to previous state

IFS=$OLDIFS

ERROR=0

# Checks to see if the OS on the Mac is 10.13 or higher.
# If it is not, the following message is displayed without quotes:
#
# "APFS Encryption Not Available For This Version Of macOS"

if [[ ( ${osvers_major} -eq 10 && ${osvers_minor} -lt 13 ) ]]; then
  echo "APFS Encryption Not Available For This Version Of macOS"
fi

if [[ ( ${osvers_major} -eq 10 && ${osvers_minor} -ge 13 ) || ( ${osvers_major} -eq 11 ) ]]; then

# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+

boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type \(Bundle\)/ {print $3}')
  
# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.

  if [[ "$boot_filesystem_check" = "apfs" ]]; then

    # If encrypted, the following message is 
    # displayed without quotes:
    # "FileVault is On."
    #
    # If encrypting, the following message is 
    # displayed without quotes:
    # "Encryption in progress:"
    # How much has been encrypted of of the total
    # amount of space is also displayed.
    #
    # If decrypting, the following message is 
    # displayed without quotes:
    # "Decryption in progress:"
    # How much has been decrypted of of the total
    # amount of space is also displayed
    #
    # If not encrypted, the following message is 
    # displayed without quotes:
    # "FileVault is Off."

     ENCRYPTSTATUS=$(fdesetup status | xargs)
     if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
       ENCRYPTSTATUS=$(fdesetup status | head -1)
       echo "$ENCRYPTSTATUS"
     else
       ENCRYPTSTATUS=$(fdesetup status | tail -1)
       echo "$ENCRYPTSTATUS"
     fi
    else
      echo "Unable to display encryption status for filesystems other than APFS."
  fi
fi
  
exit $ERROR