In today’s mobile work and education environments, a crucial feature of Apple devices is the built-in encryption technologies that protect organizational data and user privacy.
FileVault, Apple’s native solution for full disk encryption on Mac, protects stored files to keep bad actors from accessing data. When enabled, FileVault encrypts the contents of a Mac account by utilizing the users credentials as the method to lock and unlock the account when a user is logged off or successfully authenticated.
Because there are multiple ways to enable and manage FileVault, it’s important to understand where to start, and to keep up-to-date on new features. In this blog we’ll focus on how to enable FileVault encryption on Macs with Jamf Pro.
Why learn about FileVault management?
If you’re in charge of managing an organization’s Apple devices – whether with Jamf Pro, Jamf School or Jamf Now – you need to know and understand the native Apple encryption technologies and how they fit into your desired outcomes so that you can choose the appropriate enablement workflow and method of deployment.
For a comprehensive overview, IT admins should review the Apple Platform Deployment Guide. For information related specifically to FileVault, check out the sections under the "Ensure device security" heading.
FileVault is a vital aspect to any macOS security checklist as recommended in the Center for Internet Security (CIS) benchmarks. To learn more about that checklist, we have a great white paper on the topic.
Enabling FileVault with Jamf Pro makes the Macs in your environment require a user’s credentials to complete the boot process. You can use Jamf to enable FileVault on managed computers using either a configuration profile or a disk encryption configuration and policy.
macOS encryption building blocks
Technologies critical to understanding macOS encryption and FileVault management include:
- SecureToken – A cryptographic key assigned during account creation, wrapped by a user’s password. Required for a user to be FileVault-capable.
- Bootstrap Token – When a SecureToken user is created or signs in, an additional token that gets escrowed to MDM. Introduced in macOS 10.15.
- Volume Ownership – Specific to computers with Apple Silicon. Allows users to access the owner identity key that’s stored in the secure enclave. Required for functions like software updates, managing legacy external extensions.
The Apple Platform Deployment Guide includes specific scenarios for reference so that you can choose what deployment workflow is right for your organization.
User sets up a Mac on their own
- True zero-touch deployment is the most straightforward path for FileVault enablement.
Mac is provisioned by an organization
- If your IT admin sets up a new computer, they are going to be the first one to get the token instead of the day-to-day user. In this case, you need to consider how your deployment affects the token status.
- There are also a couple of scenarios where if a Jamf policy runs before a user is created, that could cause an unintended user to get the first token.
The best practice is to assess what your goals and outcomes are for your deployment workflow, so that you figure out if you need to change or modify your enablement method with an understanding of who gets the token when you’re managing FileVault.
It is easier to establish these practices on the front end of a deployment rather than going back and trying to fix it later.
Choosing a FileVault enablement method
There are three main enablement methods you can choose for managing FileVault. You may use more than one, but any given computer should be targeted with just one method.
- Configuration Profile – Straightforward, applies universally to targets. With this method, the settings install immediately.
- Jamf Pro Policy – Allows customized user experience and messaging. With this method, the settings install when the policy is configured to run.
- Jamf Connect Login – Use this just for new machines that are deployed.
Enablement methods can be personal preference. Whether you use a configuration profile or set up a policy, the most important choice is making sure that the way you’ve chosen to enable it is also allowing you admin access to cryptographic privileges.
When running macOS 14.0 or later, admins can automatically enable FileVault during user account creation in the Setup Assistant. This setting requires that the configuration profile is installed as part of a PreStage enrollment. This helps further increase the security posture of the device, since FileVault is “turned on” before an end user adds any data to the computer. In essence, InfoSec and compliance teams can ensure disk encryption is enabled before the end user touches the computer.
Managing and reporting in FileVault
Knowing whether you were successful in enabling FileVault, or knowing who to target to make a device enabled, is critical both for compliance and reporting, as well as remediation purposes.
Looking at individual computer records can show a wealth of inventory data, including:
- Encryption state
- Recovery Key validity
- Viewing of Recovery Key (with certain levels of access)
- Disk encryption configuration (if enabled by policy)
Beyond built-in inventory fields, IT admins are also able to add custom attributes and take deeper dives into deployment workflows using the fdesetup binary on macOS.
Recovery Key management
For ongoing management of device security, it’s important to consider how to handle recovery key management.
For example, a user who is locked out of their computer may need to reset their password.
A Personal Recovery Key (PRK) can help, but best practice is to rotate it after using it for security. You are able to set up policies within FileVault to rotate and issue new recovery keys.
For admins, having the ability to export (backup) the FileVault Personal Recovery Keys is an incredibly powerful functionality. Beginning with Jamf Pro 10.43, the FileVault 2 Personal Recovery Key Attribute allows admins to identify and export all of the personal recovery keys for managed computers in your environment. You can then create a backup of the keys to use in case of a system failure.
As with most FileVault actions, the initial decision you make in setup is the most important. Decide what you want to happen, enable the workflow, and the automation in your MDM can get the job done for you.
Get started with Jamf Pro to make the most of your Apple device management today.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.