Configure FileVault Profile
FileVault is a security feature that encrypts data on macOS devices. By enabling FileVault, it prompts the user to re-enter their password each time they log into their account. It not only encrypts data on the hard drive but also allows authorized users who have a decryption key, to read its contents. It allows administrators to remotely enable FileVault on Mac devices.
To enable FileVault on the enrolled devices, follow these steps:
1. Navigate to SureMDM Web Console > Profiles > macOS > New Profile > Device Enrollment > FileVault > Configure.
2. Enter the Profile Name.
3. Configure FileVault settings and click Save.
| Settings | Description |
|---|---|
| Enable FileVault | If checked, FileVault will be enabled on the device but the user can still disable it. |
| Prevent users from enabling FileVault | If checked, users cannot turn on the FileVault from the device. |
| Encrypt Using | Select an appropriate recovery type: Institutional Recovery Key - Allows the admins to decrypt any device using a single institutional recovery key. Personal Recovery Key - Allow the users to decrypt their device using a recovery key generated by the device. Institutional and Personal Recovery Key - Combination of both. Note: To generate the certificate required for Institutional Recovery Key and Institutional Personal Recovery Key, check "Certificate Used for Encryption" row below in this table. |
| Rotation of Personal Recovery Key | Specify the duration of rotation interval for Personal Key. (Applicable only if Personal Recovery Key is selected in Encrypt Using field.) |
| Show Personal Recovery Key | This option will be enabled when Personal Recovery Key type is selected. When this option is selected, it will display the personal recovery key. (Applicable only if Personal Recovery Key is selected in Encrypt Using field.) |
| Display Personal Recovery Key in Agent | If checked, recovery key would be displayed in SureMDM Agent under Status tab. (Applicable only if Personal Recovery Key is selected in Encrypt Using field.) |
| Certificate Used for Encryption | Certificate that contains the public key from the institutional recovery type. To generate the Certificate used for encryption, follow these steps: 1. Open the Terminal app on your Mac, then enter this command: security create-filevaultmaster-keychain ~/Desktop/FileVaultMaster.keychain2. On running the above command, the Certificate Used For Encryption gets generated. 3. Click Upload to upload this certificate and type the Password, and then click Add. Note:Institutional recovery keys present a greater inherent security concern because they can be used for multiple computers. They also have more limited functionality on Macs with Apple silicon, and Apple no longer recommends them for institutional management in general. Foremost environment, SureMDM recommends using personal recovery keys. |
| Path for Recovery Information Storage | Enter a suitable path to the location where the recovery key plist will be stored. *Example: /var/filevault.plist* |
| Max Bypass Attempts | Choose the maximum number of times users can bypass enabling FileVault from the following options: -1: The file vault process will be bypassed once and it will get initiated only after the next logout. 0: The file vault process will not get bypassed, and it will get initiated only after the next logout. 3: Prompts the user to enable FileVault after 3 attempts of login/logout. 5: Prompts the user to enable FileVault after 5 attempts of login/logout. 10: Prompts the user to enable FileVault after 10 attempts of login/logout. |
| Prevent Prompt at Logout | If checked, user will not be prompted to enable FileVault at every logout. |
| Override User configured FileVault Settings | If checked, existing FileVault configurations on the device (set before enrollment) will be overridden by the SureMDM FileVault profile. The FileVault Personal Recovery Key can only be retrieved if FileVault is configured and managed through SureMDM. |
| Override Method for User Configured FileVault settings | Specify the override method - Use Admin's Credentials: Use this option to override FileVault settings using an admin account on the target device. Username and Password of an admin account should be provided. The profile will be executed only if the specified admin credentials match an existing account on the target device(s). - Prompt User for Admin’s credentials: Use this option to allow the end-user to enter admin credentials when prompted after deployment. The user will be required to manually provide admin credentials to override FileVault settings. - Use Service Account: Use this option to override the FileVault settings using the SureMDM Service Account, with no action needed on the device. Note :Override User Configured FileVault Settings is supported only from SureMDM Agent version 6.5.0 and later. |
The newly created profile will be listed in the Profiles section.
4. Go back to the Home tab and select the macOS device(s) or group(s).
5. Click Apply to launch Apply Job/Profile To Device prompt.
6. In the Apply Job/Profile To Device prompt, select the created profile and click Apply.