FileVault encryption gives data an extra level of protection against attacks. Learn how FileVault works and how to enable it on a Mac device.
What is FileVault disk encryption and how does it work?
Mac devices utilize FileVault, a robust encryption feature, which encrypts the entire Mac drive, to protect and secure data, safeguard privacy, and prevent unauthorized access.
Initially introduced in 2003 with Mac OS X Panther, FileVault has undergone significant advancements to enhance data protection. It originally encrypted only user data but has since evolved to encrypt the entire system disk, using the XTS-AES-128 encryption standard with a secure 256-bit key.
FileVault operates seamlessly in the background, encrypting data in real-time, ensuring that even if a Mac is lost or stolen, sensitive information remains inaccessible to unauthorized users. This feature not only aligns with industry-leading security standards but also underscores Apple's commitment to safeguarding user privacy and data integrity on macOS devices.
With Miradore, it is possible to enforce the activation of FileVault disk encryption for one or several managed macOS devices remotely using a configuration profile.
Requirements
- Premium subscription for Miradore
- Administrator access to Miradore
- macOS 10.9 or above to enable the FileVault configuration profile in Miradore for managed devices
- macOS 10.13 or above to enable escrowing personal recovery key for managed devices
- Creating a master keychain with a macOS computer to be able to use an institutional recovery key
Important information
Removing the FileVault configuration profile from a device through Miradore does not turn off disk encryption.
Enforcing FileVault activation on macOS devices
To activate FileVault for managed macOS devices, create a configuration profile for FileVault under Management > Configuration profiles. Select macOS as the platform, then FileVault on the next page. Configure the encryption settings as you desire.
| Configuration Field | Description |
|---|---|
| Recovery key type | The recovery key can be used to unlock/decrypt the encrypted drive if the user forgets or loses their password. Choose whether you want to use personal, institutional, or both types of recovery keys for unlocking encrypted files. Using both recovery keys means that an encrypted disk can be unlocked using either a personal or an institutional recovery key.
Personal recovery key: This is device-specific and will be generated automatically at the target device when the encryption is enabled. The personal recovery key can be escrowed to Miradore. Otherwise, the device’s user is responsible for storing the recovery key. Institutional recovery key: Organizations can use an institutional key to unlock any macOS computer's disk that has been encrypted with a certificate generated from the same keychain. In this case, the administrator is responsible for keeping the recovery key stored in a safe location. The use of an institutional recovery key requires you to create a FileVault master keychain with Mac. For more information, refer to Apple's documentation. After creating the FileVault master keychain, ensure you have a copy of it in a safe location because the private key from the keychain will be needed to unlock disks encrypted with a certificate generated from the keychain. Export the FileVault Recovery Key certificate from the master keychain using the "Keychain Access" app on a Mac device. Upload the certificate to Miradore through Management > Files and Certificates. On the Certificates tab, click Add to upload the certificate. Select the uploaded certificate for the Institutional recovery key field on the configuration profile wizard. |
| Show personal recovery key | This setting defines whether the personal recovery key is shown to the device user after FileVault has been activated. Note: If escrowing is not enabled, it is the device user's responsibility to store the personal recovery key in a safe location.
The following screenshot shows how the personal recovery key appears to the device user.
|
| Escrow personal recovery key | Key escrowing is a technique to back up the personal recovery key securely to Miradore. If this option is selected, the recovery key will be stored to Miradore in an encrypted format and can be retrieved from the device’s Security section.
Note: The personal recovery key is escrowed only during encryption. If the device has been encrypted prior to deploying the Miradore FileVault configuration profile with escrowing enabled, follow the instructions in Escrowing personal recovery key for the encrypted device. |
| Location | The value of this informational field will be displayed in the FileVault profile’s Escrow location field on the macOS device. This is the description of the location where the personal recovery key is escrowed. |
| Prompt user at | This field defines when the device user will be prompted to activate FileVault encryption after the device has received the configuration profile from Miradore. When prompted at login, the user can be given an opportunity to bypass the activation 1–5 times. |
| Login bypass limit | Specifies how many times the device user can bypass the activation of FileVault disk encryption at login.
After finalizing the creation of the configuration by entering a name and description for the profile, you can deploy it from the Devices page (Management > Devices). You can also create a business policy that deploys the configuration profile to tagged devices automatically. |
After finalizing the creation of the configuration by entering a name and description for the profile, you can deploy it from the Devices page (Management > Devices). You can also create a business policy that deploys the configuration profile to tagged devices automatically.
Reporting
You can monitor the configuration deployment from Management > Action log in Miradore. You can also see which certificate was used to encrypt the device from the Device page.
To see which devices have FileVault enabled, go to Home > Dashboard in Miradore, and click Select dashboard > iOS/macOS from the page toolbar.
You will see two widgets: FileVault status and FileVault recovery key status, which summarize the status of FileVault encryption on the managed macOS devices.
How to check the FileVault status on a macOS device?
The device user can check the FileVault status from the system preferences. The device user can disable FileVault using their login password if necessary.
Previous Article:
« Restrictions for macOS
Next Article:
FileVault disk encryption for macOS »