Guide for Apple IT: Managing FileVault

Posted on January 14, 2022

Securing sensitive company data is one of the top priorities for any IT department. For businesses that run on Apple, FileVault is an essential tool for Mac security. By encrypting all of the information on a Mac computer’s startup disk, FileVault makes company information unreadable to unauthorized users.

In this article, we’ll review what FileVault is and how it can be used to secure Mac computers. We'll then discuss how admins can deploy it, and how FileVault recovery keys should be managed.

What Does FileVault Do?

First to the review: Built into the Mac operating system, FileVault encrypts all data on Mac startup disks, allowing that data to be accessed only after proper login credentials have been entered. FileVault encrypts data in the background, so employees may not even know it’s happening, and they can use their devices while encryption is taking place.

FileVault has been a part of the Mac operating system since the release of Mac OS X Panther (10.3) in 2005. Its earliest versions were limited in scope: They could only encrypt a user’s home folder, leaving the rest of the data stored on the device's hard drive unprotected. It was, however, able to encrypt data on the fly, while users were still using the device.

This early form of FileVault also let users create FileVault recovery keys to decrypt and access their home folder data—a safety precaution to make sure users wouldn’t lose their data if they forgot their credentials. They could also use a master password, separate from their user password, to decrypt the computer.

In Mac OS X Lion (10.7), Apple released FileVault 2. It was more robust in a number of ways. For instance, while the original FileVault (referred to as Legacy FileVault) could encrypt only a user’s home folder data, FileVault 2 encrypts the entire startup disk—still without interrupting users.

FileVault 2 also was a step-up in strength, using XTS-AES-128 encryption with a 256-bit key. And, most significantly for admins, FileVault 2 can be deployed and managed centrally by an IT department using MDM.

How to Enable FileVault

Turning on FileVault disk encryption is a great way for admins to prevent unauthorized access to company data on user devices. While end users do so via System Preferences, IT teams can use an MDM solution such as Kandji to deploy, monitor, and manage FileVault on managed macOS devices. 

Using Kandji as an example, you can add a FileVault library item to a Blueprint; when enabled, that item will apply your chosen FileVault settings to every device in that Blueprint. You can configure it to be immediately enforced at the next login or allow the user to defer. You can also specify whether the Mac should be forcibly restarted or remind the user to restart to initiate FileVault encryption.

Kandji FileVault 1_editYou can also specify how FileVault recovery keys will be managed. If a user forgets their login credentials and cannot access their computers, an admin can use a FileVault recovery key to restore the data. Otherwise, without that key, no one can log in, and files and settings on the computer will be inaccessible.

Kandji FileVault recovery keys_2_editOn an individual computer, when you enable FileVault 2, you’re given two options for what to do if you forget a password: Unlock using an iCloud account and password or unlock using a FileVault recovery key. If you choose the FileVault recovery key option, you must keep a copy of the key securely stored somewhere (not on the encrypted startup disk). In most enterprise settings, the FileVault recovery key option is best, and you can enable it using an MDM solution like Kandji. 

In Kandji, you can opt to show the key to the user when it’s created or regenerated. But if your company requires high levels of security, you probably don’t want to, because doing so introduces an unnecessary security risk. By hiding the keys, you retain the ability to delete users or wipe their disks when necessary, without worrying about whether the FileVault key might be used by a malicious user to access the data after those actions are taken.

You can also choose to escrow the recovery key to Kandji for safekeeping (where it can be viewed by admins) and to rotate the key on a regular schedule. If you do escrow the keys, you can always give them out to the user when needed, such as when resetting the user’s password.

Kandji also has a built-in option for regenerating recovery keys when they are unknown. So if you enroll a Mac that has already been encrypted, Kandji can rotate and escrow a new recovery key by automatically prompting the end-user to create a new one. See our support article for more on that.

How FileVault Protects Business Data

FileVault can be complemented by other security features, such as requiring users to log back into their devices whenever a device wakes from sleep mode or leaves the screen saver. After a device is initially turned on, only FileVault-enabled users can log on; anyone else will have to wait until the disk has been decrypted by a FileVault-enabled user.

Apple’s introduction of the T2 security chip and then Apple silicon complicated this picture because full-disk encryption is already activated on Mac computers with that hardware—even if FileVault isn’t enabled on them. 

But FileVault can still add an additional layer of security, by requiring users to enter their login credentials to decrypt the disk. So it’s recommended that you use FileVault 2 on Mac computers with the T2 chip or Apple silicon. The one major exception: When the device is shared among multiple users, such as in a computer lab.

FileVault, Secure Token, and Bootstrap Token

The encryption picture was further complicated when Apple introduced the secure token account attribute in macOS High Sierra. As of that release, if you want to enable FileVault on an encrypted Apple File System (APFS) volume, that account first has to be granted a secure token. 

Once that’s done, the account can create others, which are automatically granted a secure token. But there are two significant exceptions: when an Active Directory account is used or when a local account is created using command-line tools. In those two cases, new accounts are not automatically granted a secure token, so FileVault 2 can not be enabled on them. Admins must take extra steps to enable such accounts for FileVault.

Another wrinkle came with macOS Catalina when Apple introduced the bootstrap token. Bootstrap tokens can assist with granting a secure token to both Active Directory mobile accounts and optional administrator accounts created in device enrollment. When a bootstrap token is escrowed to Kandji, macOS can request that token when Active Directory mobile accounts sign in and generate a secure token for that user account.

In macOS 11 or later, a bootstrap token can also be used to authorize the installation of kernel extensions and software updates on managed Mac computers with Apple silicon. The bootstrap token is also used to authorize the Erase All Content and Settings command on macOS 12.0.1 or later.

About Kandji

The Kandji team is constantly working on solutions to streamline your workflow and secure your devices. With powerful and time-saving features such as zero-touch deployment, one-click compliance templates, and plenty more, Kandji has everything you need to bring your Apple fleet into the modern workplace.

This article was substantially updated January 14, 2022.

Request access to Kandji today.

Share post

The Latest in Apple Enterprise Management