Enabling Mac OS X FileVault encryption

Mac OS X uses FileVault to encrypt drives. The Ivanti® Endpoint Manager security scanner can detect whether devices running OS X have FileVault enabled. If you enable the FileVault vulnerability and remediate it, FileVault will be turned on if it isn't already.

When you enable FileVault through Endpoint Manager, it creates a special encrypted core database inventory record that is saved even if you later delete the device in the Network view. This record includes the FileVault recovery key that Endpoint Manager administrators can use to disable FileVault and restore access to the device.

You can view additional information on FileVault support in the Ivanti Community article: How To: Manage FileVault Disk Encryption.

NOTE: If you need to retrieve a device's FileVault recovery key, see Viewing Client data storage.

To enable FileVault on Mac OS X devices

1.In the Management console, navigate to Tools > Configuration > Agent Settings.

2.Select All Agent Settings > Mac Profiles.

3.Right-click MacOS Device Configuration, and click New.

4.Create a new configuration profile or edit an existing one. For information about configuration profiles, see Configuration Profile Editor.

5.In the configuration list on the left, select Security and Privacy.

6.Click Configure.

7.Select the FileVault tab.

8.Enable the Require FileVault checkbox.

9.Select a recovery key option:

Personal recovery key (recommended). Generate a unique key during the encryption process. When using this option, we recommend also enabling the Upload personal recovery key to EPM server option, so that the key can be recovered by Endpoint Manager. For information about recovering this key, see Viewing Client data storage.

Institutional recovery key. Use the command line to generate a key for devices in your organization. Keys generated this way are not managed by Endpoint Manager and cannot be recovered by Ivanti Support. For information about generating an institutional recovery key, see Apple's documentation: Set a FileVault recovery key for computers in your organization.

Institutional and personal recovery key. Use both of the options described above.

10.Click OK to save the configuration.

11.Deploy the configuration to devices. For more information, see Distributing MDM agent settings.