Configure FileVault Profile (macOS)


FileVault is a security feature that encrypts data on macOS devices. By enabling FileVault, it prompts the user to re-enter their password each time they log into their account. It not only encrypts data on the hard drive but also allows authorized users who have a decryption key, to read its contents. It allows admin to remotely enable FileVault on Mac devices.

To enable FileVault on the enrolled devices, follow these steps:

1.  Navigate to SureMDM Web Console > Profiles > macOS > Add > FileVault > Configure.

2.  Enter a Profile Name.

3.  Configure FileVault  settings and click Save.   

Settings

Description

Encrypt Using

Select an appropriate recovery type:

  • Institutional Recovery Key - Allows the admins to decrypt any device using a single institutional recovery key. 
  • Personal Recovery Key - Allow the users to decrypt their device using a recovery key generated by the device. 
  • Institutional and Personal Recovery Key - Combination of both.

Note:  To generate the certificate required for Institutional Recovery Key and Institutional Personal Recovery Key, check "Certificate Used for Encryption" row below in this table.

Show Personal Recovery Key

This option will be enabled when Personal Recovery Key type is selected. When this option is selected, it will display the personal recovery key.

Certificate Used for Encryption

Certificate that contains the public key from the institutional recovery type. 

To generate the Certificate used for encryption, follow these steps:

  1. Open the Terminal app on your Mac, then enter this command:

security create-filevaultmaster-keychain ~/Desktop/FileVaultMaster.keychain

  1. On running the above command, the Certificate Used For Encryption gets generated.
  2. Click Upload to upload this certificate and type the Password, and then click Add.

Note: 

  • Institutional recovery keys present a greater inherent security concern because they can be used for multiple computers. They also have more limited functionality on Macs with Apple silicon, and Apple no longer recommends them for institutional management in general. Foremost environment, SureMDM recommends using personal recovery keys.

Path for Recovery Information Storage

Enter a suitable path to the location where the recovery key plist will be stored.

Example: /var/filevault.plist 

Max Bypass Attempts

Choose the maximum number of times users can bypass enabling FileVault from the following options:

-1: The file vault process will be bypassed once and it will get initiated only after the next logout.

 0: The file vault process will not get bypassed, and it will get initiated only after the next logout.

 3:  Prompts the user to enable FileVault after 3 attempts of login/logout.

 5: Prompts the user to enable FileVault after 5 attempts of login/logout.

10: Prompts the user to enable FileVault after 10 attempts of login/logout.


The newly created profile will be listed in the Profiles section.

4.  Go back to Home tab and select the macOS device(s) or group(s).

5.  Click Apply to launch Apply Job/Profile To Device prompt.

6.  In the Apply Job/Profile To Device prompt, select the created profile and click Apply.