In today’s mobile work and education environments, a crucial feature of Apple devices is the built-in macOS encryption technologies which protect organizational data and user privacy. The newest computers with the Apple M1 chip also have additional cryptographic functions.
While these layers of security help safeguard the devices in the hands of end users no matter where they work or study, it also means that Mac admins need cryptographic privileges to access data and manage user accounts.
MacOS FileVault, Apple’s native solution for full disk encryption on Mac, preserves your remote management access to the data cryptographically secured by user passwords. But because there are multiple ways to enable and manage FileVault, it can be a challenge for Mac admins to even know where to start.
To help you figure out the best practices for your organization, our webinar, How to Manage FileVault with Jamf, offers expert guidance on how to access the full potential of remote management of FileVault.
The webinar gives an overview of native Apple technologies, guidelines for choosing your enablement workflow and recommendations for management of recovery keys and password reset.
Read on for some of the key points for how you can maintain the highest security standards while still providing an optimal user experience with FileVault and Jamf.
Why learn about FileVault management?
If you’re in charge of managing an organization’s Apple devices – whether with Jamf Pro, Jamf School or Jamf Now – you need to know and understand the native Apple encryption technologies and how they fit into your desired outcomes so that you can choose the appropriate enablement workflow and method of deployment. Different workflows and deployment methods of macOS computers can result in different outcomes.
For a comprehensive overview, IT admins should review the Apple Platform Deployment Guide. For information related specifically to FileVault, check out the sections under the "Ensure device security" heading.
macOS encryption building blocks
Technologies critical to understanding macOS encryption and FileVault management include:
- SecureToken – A cryptographic key assigned during account creation, wrapped by a user’s password. Required for a user to be FileVault-capable.
- Bootstrap Token – When a SecureToken user is created or signs in, an additional token that gets escrowed to MDM. Introduced in macOS 10.15.
- Volume Ownership – Specific to computers with Apple Silicon. Allows users to access the owner identity key that’s stored in the secure enclave. Required for functions like software updates, managing legacy external extensions.
Choosing your deployment workflow
The Apple Platform Deployment Guide includes specific scenarios for reference so that you can choose what works for your organization.
User sets up a Mac on their own
- True zero-touch deployment is the most straightforward path for FileVault enablement.
Mac is provisioned by an organization
- If your IT admin sets up a new computer, they are going to be the first one to get the token instead of the day-to-day user. In this case, you need to consider how your deployment affects the token status.
- There are also a couple of scenarios where if a Jamf policy runs before a user is created, that could cause an unintended user to get the first token.
The best practice is to assess what your goals and outcomes are for your deployment workflow, so that you figure out if you need to change or modify your enablement method with an understanding of who gets the token when you’re managing FileVault.
It is easier to establish these practices on the front end of a deployment rather than going back and trying to fix it later.
Choosing a FileVault enablement method
There are three main enablement methods you can choose for managing FileVault. You may use more than one, but any given computer should be targeted with just one method.
- Configuration Profile – Straightforward, applies universally to targets.
- Jamf Pro Policy – Allows customized user experience and messaging.
- Jamf Connect Login – Use this just for new machines that are deployed.
Enablement methods can be personal preference. Whether you use a configuration profile or set up a policy, the most important choice is making sure that the way you’ve chosen to enable it is also allowing you admin access to cryptographic privileges.
Reporting in FileVault
Knowing whether you were successful in enabling FileVault, or knowing who to target to make a device enabled, is critical both for compliance and reporting, as well as remediation purposes.
Looking at individual computer records can show a wealth of inventory data, including:
- Encryption state
- Recovery Key validity
- Viewing of Recovery Key (with certain levels of access)
- Disk encryption configuration (if enabled by policy)
Beyond built-in inventory fields, IT admins are also able to add custom attributes and take deeper dives into deployment workflows using the fdesetup binary on macOS.
Recovery Key management and more
For ongoing management of device security, it’s important to consider how to handle recovery key management.
For example, a user who is locked out of their computer may need to reset their password.
A Personal Recovery Key (PRK) can help, but best practice is to rotate it after using it for security. You are able to set up policies within FileVault to rotate and issue new recovery keys.
As with most FileVault actions, the initial decision you make in setup is the most important. Decide what you want to happen, enable the workflow, and the automation in your MDM can get the job done for you.
To learn more in-depth details about how to set up and manage FileValt in your organization, sign in to watch the webinar.