With the risk of stolen devices and data and the subsequent impact of compromised confidential information, many IT organizations are mandating full disk encryption (FDE) on their systems. It’s easy enough to enable FDE on any Macbook® or iMac® thanks to FileVault®. But no IT admin wants to go around to all of the workstations in the office and enable FileVault manually. Instead, we’ll explain how to automate FDE enforcement with remote FileVault management.
Understanding FileVault & FDE
Let’s take a step back to define FDE. Full disk encryption encrypts a computer’s hard drive when it’s not in use. The data on the hard drive is therefore protected from unwarranted access. When the device is logged into by an admin or user with appropriate credentials, the hard drive is automatically decrypted. FDE is one of the best safeguards of critical data in the event of a laptop going missing.
FileVault is a FDE program that has been included with Mac® systems since 2003. The Windows® equivalent of FileVault is known as BitLocker.
Challenges with Enforcing FDE
The first challenge has historically been managing the implementation of FDE across their Windows and Mac systems. Up until recently, IT admins have lacked sufficient cross platform FDE management tools. This has made it difficult to simplify FDE management for heterogeneous organizations.
The more significant challenge is that every system needs to be recoverable in the case of a forgotten password. Once a hard drive has been encrypted, without the right password, it can’t be decrypted. Recovery keys exist for both FileVault and BitLocker to ensure that data wouldn’t be lost with a simple password mistake.
While recovery keys solve a major problem, they create another one: managing recovery keys can be painful across a large enterprise and if you don’t take sufficient security precautions, then it also introduces another vector for attacks.
That’s why the abilities to both turn FileVault on and to manage the recovery keys are the core parts of remote FileVault management. Unfortunately, doing that securely and then not only on macOS, but also on (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Nick Scheidies. Read the original post at: https://jumpcloud.com/blog/remote-filevault-management/