Filevault disk encryption for macOS
FileVault encryption gives data an extra level of protection against attacks. Learn how FileVault works and how to enable it on a Mac device.
Encryption helps to prevent unauthorized access to documents and other data on the device. With LogMeIn Resolve MDM, it is possible to enforce the activation of FileVault disk encryption for the managed macOS devices remotely using a configuration profile.
About FileVault disk encryption
Mac devices utilize FileVault, a robust encryption feature, which encrypts the entire Mac drive, to protect and secure data, safeguard privacy, and prevent unauthorized access.
Initially introduced in 2003 with Mac OS X Panther, FileVault has undergone significant advancements to enhance data protection. It originally encrypted only user data but has since evolved to encrypt the entire system disk, using the XTS-AES-128 encryption standard with a secure 256-bit key.
FileVault operates seamlessly in the background, encrypting data in real-time, ensuring that even if a Mac is lost or stolen, sensitive information remains inaccessible to unauthorized users. This feature not only aligns with industry-leading security standards but also underscores Apple's commitment to safeguarding user privacy and data integrity on macOS devices.
With LogMeIn Resolve MDM, it is possible to enforce the activation of FileVault disk encryption for one or several managed macOS devices remotely using a configuration profile.
Requirements
- Administrator access to LogMeIn Resolve MDM
- macOS 10.9 or above to enable the FileVault configuration profile in LogMeIn Resolve MDM for managed devices
- macOS 10.13 or above to enable escrowing personal recovery key for managed devices
- Creating a master keychain with a macOS computer to be able to use an institutional recovery key
Enforcing FileVault activation on macOS devices
| Configuration Field | Description |
|---|---|
| Recovery key type | The recovery key can be used to unlock/decrypt the encrypted drive if the user forgets or loses their password. Choose whether you want to use personal, institutional, or both types of recovery keys for unlocking encrypted files. Using both recovery keys means that an encrypted disk can be unlocked using either a personal or an institutional recovery key.
After creating the FileVault master keychain, ensure you have a copy of it in a safe location because the private key from the keychain will be needed to unlock disks encrypted with a certificate generated from the keychain. Export the FileVault Recovery Key certificate from the master keychain using the "Keychain Access" app on a Mac device. Upload the certificate to LogMeIn Resolve MDM through . On the Certificates tab, click Add to upload the certificate. Select the uploaded certificate for the Institutional recovery key field on the configuration profile wizard. |
| Show personal recovery key |
This setting defines whether the personal recovery key is shown to the device user after FileVault has been activated.
Note: If escrowing is not enabled, it is the device user's responsibility to store the personal recovery key in a safe location.
The following screenshot shows how the personal recovery key appears to the device user. |
| Escrow personal recovery key |
Key escrowing is a technique to back up the personal recovery key securely to
LogMeIn Resolve MDM. If this option is selected, the recovery key will be stored to
LogMeIn Resolve MDM in an encrypted format and can be retrieved from the device’s Security section.
Note: The personal recovery key is escrowed only during encryption.
If the device has been encrypted prior to deploying the LogMeIn Resolve MDM FileVault configuration profile with escrowing enabled, follow the instructions in Escrowing personal recovery key for the encrypted device. |
| Location | The value of this informational field will be displayed in the FileVault profile’s Escrow location field on the macOS device. This is the description of the location where the personal recovery key is escrowed. |
| Prompt user at | This field defines when the device user will be prompted to activate FileVault encryption after the device has received the configuration profile from LogMeIn Resolve MDM. When prompted at login, the user can be given an opportunity to bypass the activation 1–5 times. |
| Login bypass limit | Specifies how many times the device user can bypass the activation of FileVault disk encryption at login. After finalizing the creation of the configuration by entering a name and description for the profile, you can deploy it from the Devices page (). You can also create a business policy that deploys the configuration profile to tagged devices automatically. |
After finalizing the creation of the configuration by entering a name and description for the profile, you can deploy it from the Devices page (). You can also create a business policy that deploys the configuration profile to tagged devices automatically.
Reporting
You can monitor the configuration deployment from in LogMeIn Resolve MDM. You can also see which certificate was used to encrypt the device from the Device page.
To see which devices have FileVault enabled, go to in LogMeIn Resolve MDM, and click from the page toolbar.
You will see two widgets: FileVault status and FileVault recovery key status, which summarize the status of FileVault encryption on the managed macOS devices.
Checking the FileVault status on a macOS device
Important information
Removing the FileVault configuration profile from a device through LogMeIn Resolve MDM does not turn off the disk encryption.