Enabling Mac OS X FileVault encryption

Mac OS X uses FileVault to encrypt drives. The Ivanti® Endpoint Manager security scanner can detect whether devices running OS X have FileVault enabled. If you enable the FileVault vulnerability and remediate it, FileVault will be turned on if it isn't already.

When you enable FileVault through Endpoint Manager, it creates a special encrypted core database inventory record that is saved even if you later delete the device in the Network view. This record includes the FileVault recovery key that Endpoint Manageradministrators can use to disable FileVault and restore access to the device.

You can view additional information on FileVault support in the Ivanti Community article: How To: Manage FileVault Disk Encryption.

To enable FileVault on Mac OS X devices
  1. If you haven't already, use the Patch and compliance tool to download Apple Mac Vulnerabilities.
  2. In the Patch and compliance tool, click All types > Scan. In the Find box type FileVault and press enter. You'll see two FileVault vulnerabilities, one that only detects the FileVault state (APPLE-FileVault_DetectOnly) and another that activates it (FileVaultActivation-xx). Drag the activation vulnerability to an Autofix group or your preferred group.
  3. When the vulnerability scanner runs and detects that FileVault needs to be enabled, a dialog box on the managed device pops up and lets users know that FileVault has been enabled and they need to reboot. Clicking OK closes the dialog, but the reboot isn't forced.
  4. When users reboot the standard OS X FileVault activation process begins. Users are prompted to log in. A dialog box then appears and tells users that "Your administrator requires that you enable FileVault". Users can only click Cancel or Enable Now. Clicking Cancel returns them to the login prompt. Once they click Enable Now, the encryption process begins. This takes a while.

Viewing Client data storage

The Client data storage tool (Tools > Configuration > Client data storage) lets you view encrypted client data. Currently, this tool only shows data for Mac OS X devices that have FileVault enabled via Endpoint Manager. Use this tool if you need to retrieve a device's FileVault recovery key.

To retrieve a FileVault recovery key
  1. Click Tools > Configuration > Client data storage.
  2. In the Devices tree, double-click the device you want.
  3. In the Client data dialog box, select the FileVault2RecoveryKey item, and click the export toolbar button.
  4. Select a location for the resulting XML file.
  5. Open the XML file in an editor and find the RecoveryKey element. The associated <string> value contains the actual key.