Enforcing Full Disk Encryption on Macs: The IT Guide

By Megan Anderson Posted November 25, 2019

Full disk encryption (FDE) is one of the most valuable security measures an IT organization can enforce to keep their confidential information secure. Apple® has made it relatively straightforward to implement FDE with its bundled solution, FileVault2, but the challenge for IT admins is to implement it in a scalable way throughout their enterprises. Here, we will guide you on how to make implementation of FDE on macOS® systems more manageable.

What is Full Disk Encryption?

The short explanation of full disk encryption is that it’s the process of converting “on-disk” data into unreadable code that cannot be deciphered by anyone unauthorized to access it. When FDE is enabled through a software like FileVault2, users can decrypt the information on their macOS system by entering the correct password or providing their recovery key. Without the recovery key or any form of backup authentication, the data on a user’s Mac device could be lost.

How Full Disk Encryption Works on Mac

Full disk encryption on macOS is enabled through FileVault2, which can be turned on for a user as long as they have a Secure Token. (Without a Secure Token on modern macOS versions, FileVault2 cannot be enabled for a user.) The most straightforward method to obtain Secure Tokens for users is to create users manually on their device. Users with Tokens can be made remotely, albeit with a few extra steps.

Once FileVault2 is enabled, a recovery key is generated for the user. That recovery key is the only way to decrypt the Mac should the user be locked out of their account for a number of reasons, among them hacking attempts, losing their password, or losing their device. There are different methods for integrating Macs into an IT environment depending on whether or not there is a directory service in place and which directory service — if any — is being used.

Enforcing FDE Without a Directory

Without a directory, enforcing FDE on a fleet of Macs can be very time consuming and complicated. First, you must enable (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Megan Anderson. Read the original post at: https://jumpcloud.com/blog/mac-full-disk-encryption/