FileVault disk encryption for macOS systems

Follow

FileVault is a disk encryption program in macOS systems which can be used to encrypt the system disk on macOS devices on-the-fly.

Encryption helps to prevent unauthorized access to your documents and other data on the device, since the system disk and all files are encrypted, and a password will be required at login before the computer, data and files can be accessed.

If the device gets lost or user forgets the login password, the computer's disk can be accessed by decrypting it with a recovery key.

With Miradore, it is possible to enforce the activation of FileVault disk encryption for Miradore managed macOS devices remotely using a configuration profile.

 

Requirements

  • Enterprise subscription for Miradore

  • Administrator access to Miradore

  • Miradore's FileVault configuration profile is compatible with devices running macOS 10.9 or higher

  • The use of an institutional recovery key requires you to create a FileVault master keychain with a macOS computer.

 

Steps to enforcing FileVault activation on macOS devices

  1. Go to Management > Configuration profiles page on Miradore. Click Add button from the page toolbar and choose macOS > FileVault and Next.
     
  2. Configure FileVault encryption settings. Proceed with Next when you're done.


    Recovery key type

    Choose whether you want to use personal, institutional or both types of recovery keys for unlocking encrypted files.

    The personal recovery key is device-specific and it will be generated automatically at the target device when the encryption is enabled. The device's user is responsible for storing the recovery key.

    Organizations can use the institutional key to unlock any macOS computer's disk that has been encrypted with a certificate generated from the same keychain (See Institutional recovery key section below). In this case, administrator is responsible for keeping the recovery key stored in a safe location.

    It is possible to use both recovery keys, which means that an encrypted disk can be unlocked using either a personal or institutional recovery key.

    Show personal recovery key

    Defines whether the personal recovery key is shown to the device user after the FileVault has been activated. User always sees the personal recovery key. Notice that it is on the device user's responsibility to store the personal recovery key in a safe location. On the following picture you see how the personal key is shown to the device user.

    mceclip0.png

    Institutional recovery key

    The use of an institutional recovery key requires you to create a FileVault master keychain with a macOS computer. For more information, refer to Apple's documentation.

    After creating the FileVault master keychain, ensure you have a copy of it in a safe location, because the private key from the keychain will be needed if you ever need to unlock disks encrypted with a certificate generated from the keychain.

    Export the FileVault Recovery Key certificate from the master key chain using "Keychain Access" app on a mac device. Upload the certificate to Miradore through the Management > Files and certificates page. On the page, go to Certificates tab and click Add to upload the certificate.

    After the above mentioned steps, you can select the uploaded certificate to the Institutional recovery key field on the configuration profile wizard.

    Prompt user at

    This field defines when device user will be prompted to activate FileVault encryption after the device has received the configuration profile from Miradore.

    When prompted at the login, the user can be given an opportunity to bypass the activation for 1-5 times.

    Login bypass limit

    Specifies how many times device user can bypass the activation of the FileVault disk encryption at login.

  3. Enter a name and description for the profile. These will help you recognize the configuration profile in Miradore. Click Create to complete the configuration profile creation.

  4. Next, go to Management > Devices page. Use the check boxes to select all devices where you want to activate the FileVault encryption and click Deploy > Configuration profile from the page toolbar. On the deployment wizard, choose the configuration profile you just created and follow instructions to deploy.

    Notice, you can also create a business policy which deploys the configuration profile to tagged devices automatically.

  5. You can monitor the configuration deployment from Management > Action log on Miradore. You can also see which certificate was used to encrypt the device from the Device page.

 

Reporting: which devices have FileVault enabled?

Go to Home > Dashboard on Miradore, and click Select dashboard > iOS/macOS from the page toolbar.

You will see two widgets: FileVault status and FileVault recovery key status which summarize you the status of FileVault encryption on the macOS devices that you're managing with Miradore.

mceclip1.png

 

How to check FileVault status on a macOS device

Device user can check FileVault status from the system preferences. Device user can disable FileVault using his/her login password if necessary.

mceclip2.png


Please send comments to contact@miradore.com.