Filevault disk encryption for macOS systems

FileVault is a disk encryption program in macOS systems that can be used to encrypt the system disk on macOS devices on the fly.

Encryption helps to prevent unauthorized access to your documents and other data on the device, since the system disk and all files are encrypted, and a password will be required at login before the computer, data, and files can be accessed.

If the device gets lost or the user forgets the login password, the computer's disk can be accessed by decrypting it with a recovery key.

With Miradore, it is possible to enforce the activation of FileVault disk encryption for Miradore-managed macOS devices remotely using a configuration profile.

Requirements

• Premium subscription for Miradore
• Administrator access to Miradore
• Miradore's FileVault configuration profile is compatible with devices running macOS 10.9 or higher
• The use of an institutional recovery key requires you to create a FileVault master keychain with a macOS computer.

Steps to enforcing FileVault activation on macOS devices

1. Go to Management > Configuration profiles page on Miradore. Click Add button from the page toolbar and choose macOS > FileVault and Next.
2. Configure FileVault encryption settings. Proceed with Next when you're done.
   

   Recovery key type

   Choose whether you want to use personal, institutional, or both types of recovery keys for unlocking encrypted files.

   The personal recovery key is device-specific and will be generated automatically at the target device when the encryption is enabled. The device's user is responsible for storing the recovery key.

   Organizations can use the institutional key to unlock any macOS computer's disk that has been encrypted with a certificate generated from the same keychain (See the Institutional recovery key section below). In this case, the administrator is responsible for keeping the recovery key stored in a safe location.

   It is possible to use both recovery keys, which means that an encrypted disk can be unlocked using either a personal or institutional recovery key.

   Show personal recovery key

   Defines whether the personal recovery key is shown to the device user after the FileVault has been activated. The user always sees the personal recovery key. Please note that it is the device user's responsibility to store the personal recovery key in a safe location. In the following picture, you see how the personal key is shown to the device user. If you want to store the personal FileVault recovery keys to Miradore, please read Storing personal FileVault recovery keys using custom attributes.

   

   Institutional recovery key

   The use of an institutional recovery key requires you to create a FileVault master keychain with a macOS computer. For more information, refer to Apple's documentation.

   After creating the FileVault master keychain, ensure you have a copy of it in a safe location because the private key from the keychain will be needed if you ever need to unlock disks encrypted with a certificate generated from the keychain.

   Export the FileVault Recovery Key certificate from the master key chain using "Keychain Access" app on a mac device. Upload the certificate to Miradore through the Management > Files and certificates page. On the page, go to the Certificates tab and click Add to upload the certificate.

   After completing the earlier steps, you can select the uploaded certificate to the Institutional recovery key field on the configuration profile wizard.

   Prompt user at

   This field defines when the device user will be prompted to activate FileVault encryption after the device has received the configuration profile from Miradore.

   When prompted at the login, the user can be given an opportunity to bypass the activation 1-5 times.

   Login bypass limit

   Specifies how many times the device user can bypass the activation of the FileVault disk encryption at login.

3. Enter a name and description for the profile. These will help you recognize the configuration profile in Miradore. Click Create to complete the configuration profile creation.
4. Go to the Management > Devices page. Use the checkboxes to select all devices where you want to activate the FileVault encryption and click Deploy > Configuration profile from the page toolbar. On the deployment wizard, choose the configuration profile you just created and follow the instructions to deploy. Please note that you can also create a business policy that deploys the configuration profile to tagged devices automatically.
5. You can monitor the configuration deployment from the Management > Action log on Miradore. You can also see which certificate was used to encrypt the device from the Device page.

Reporting: which devices have FileVault enabled?

Go to Home > Dashboard on Miradore, and click Select dashboard > iOS/macOS from the page toolbar.

You will see two widgets: FileVault status and FileVault recovery key status which summarize the status of FileVault encryption on the macOS devices that you're managing with Miradore.

How to check FileVault status on a macOS device?

The device user can check FileVault status from the system preferences. The device user can disable FileVault using their login password if necessary.

Important information

Removing the FileVault configuration profile from a device through Miradore does not turn off the disk encryption.