Enabling or disabling encryption on a macOS device

You can encrypt macOS devices using FileVault 2. FileVault 2 can be used to perform full XTS-AES 128 encryption on the contents of a volume. Core enables you to create FileVault 2 policies that you can use to control the encryption of managed macOS devices. You can apply a single FileValut 2 policy to a device.

The FileVault 2 policy also includes recovery keys. Users can employ recovery keys to unlock the disk, in case they forget the password for that purpose.

There are two types of recovery keys:

  • Personal recovery key: FileVault 2 automatically generates a personal recovery key at the time of encryption. A personal key is unique to the machine being encrypted. If an encrypted macOS is decrypted and then re-encrypted, the existing personal recovery key is invalid. FileVault 2 would then generate a new personal recovery key during re-encryption.
  • Institutional recovery key: An institutional recovery key is used for the same purpose as a personal recovery key, but is the same for all macOS devices within an organization. You can use FileVault 2 to generate and install an institutional recovery key to your system before enabling encryption. This common key is used to unlock any managed, encrypted macOS device.
NOTE: FileVault 2 policies are supported on devices running macOS 10.10 through the most recently released version as supported by MobileIron.

Procedure

  1. Select Policies & Configs > Policies.
  2. Select Add New > iOS and macOS > macOS > FileVault 2.
  3. Use the guidelines in Enabling or disabling encryption on a macOS device to complete this form.
  4. Click Save.

  5. Apply the policy to a macOS label.

     

    Item

    Description

    Name

    Enter a name for the policy.

    Status

    Select the relevant radio button to indicate whether the policy is Active or Inactive.

    Only one active policy can be applied to a device.

    Priority

    Specifies the priority of this policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

    Select Higher than or Lower than, then select an existing policy from the drop-down list.

    For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.

    Description

    Enter an explanation of the purpose of this policy.

    Enable FileVault 2

    Select to enable encryption.

    FileVault User Settings

    Defer FileVault until the designated user logs out:

    Always prompt user to enable FileVault

    Select to prompt the user to enable FileVault on the macOS device. The user sees the prompt when logging in to the macOS device. When selecting this option, users cannot bypass enabling the encryption option.

    Maximum number of times a user can bypass enabling FileVault

    Select to configure a limit to the number of times the user can ignore the prompt to enable FileVault.

    Click up or down to select the maximum number of times.

    The user sees the prompt when logging in to the macOS device. When selecting this option, users can choose to skip enabling the encryption option as many times as specified here.

    Do not request enabling FileVault at user logout time

    Select so that users are not prompted to enable FileVault when they are trying to log out of the device.

    Output Path

    Enter the path to which the recovery key .plist file will be stored.

    For example:

    /Library/Keychains/recovery.plist

    Personal Recovery Key

    Create a personal recovery key

    Select to create a personal recovery key. A personal recovery key will be generated when encryption (FileVault) is enabled.

    This private key can be used later to unlock the startup disk of the specific macOS device, in case the device user name and password are not available to unlock the device.

    Institutional Recovery Key

    Enable institutional recovery key

    Select to enable an institutional recovery key.

    The institutional recovery key can be used to unlock the startup disk of any macOS device that uses the same FileVault 2 master keychain.

    The keychain should be available at the following location before enabling FileVault 2 on the macOS device:

    /Library/Keychains/FileVaultMaster.keychain

    Certificate

    Enter your certificate information. If you selected Enable institutional recovery key without entering a certificate, then the master keychain (/Library/Keychains/FileVaultMaster.keychain) is used when the institutional recovery key is added.

 

Next steps

You can verify that encryption is enabled on a given device by checking the device details for that device. Select Devices & Users > Devices, and click the carat (^) next to the relevant macOS device. In the Device Details tab, look for the following fields:

  • Full Disk Encryption Enabled
  • Full Disk Encryption Has Institutional Recovery Key
  • Full Disk Encryption Has Personal Recovery Key