FileVault disk encryption
FileVault is a macOS built-in security feature that encrypts all the data on the startup disk and prevents unauthorized access to your information. From the IBM® MaaS360® Portal, you can remotely configure FileVault and retrieve the recovery keys from the devices that are running macOS 10.13 or later.
Configuring the FileVault profile
You can use macOS MDM policies to configure (enable/disable) FileVault on macOS devices. For more information, see the macOS FileVault policy.
Retrieving a personal recovery key
If FileVault is enabled, users must log in with their login password or a recovery key to access their data. You can use device actions to retrieve and back up the recovery key. If users forget their Mac login password, they can use the recovery key to unlock the disk and reset their password.
- From the IBM MaaS360 Portal home page, go to .
- Open the macOS device that is enabled with FileVault encryption through the security policies.
- Click .
The recovery key is retrieved and displayed on the screen.
Retrieving personal recovery keys from previously encrypted devices and reenrolled devices
- Devices are already encrypted before enrollment
- The FileVault recovery keys are unavailable if administrators enroll devices that are already encrypted. In this case, administrators must take over management of FileVault from the previously encrypted devices before retrieving the personal recovery keys.
- Devices are wiped or reenrolled
- When a macOS device is enrolled, the device generates a FileVault recovery key that is retrieved by MaaS360. However, if the macOS device is wiped or reenrolled, the existing FileVault recovery key is rendered invalid. Administrators can create a smart group of reenrolled devices with outdated recovery keys and then regenerate the recovery key for those devices.
- macOS Agent version 2.43.000 or later must be installed on the Mac device.
- The FileVault disk encryption policies must be deployed to macOS devices.
Identifying previously encrypted devices
Administrators can use advanced search to filter and create a smart group with devices that meet the following conditions.
- Go to .
- Use the following search criteria.
Data Encryption Encryption Status Equal To Encryption Complete Data Encryption FileVault Recovery Key Present Equal To No
- Go to .
- Use the following search criteria.
Data Encryption Encryption Status Equal To Encryption Complete Data Encryption FileVault Recovery Key Present Equal To Yes
- From the MaaS360 Portal home page, go to .
- Hover over the More option below the device group and then select Escrow FileVault Recovery Key.
- On the Escrow FileVault Recovery Key window, click
Continue.
On the macOS device, the MaaS360 agent prompts the user to enter their password and then regenerates the personal recovery key.
- From the IBM MaaS360 Portal home page, go to .
- Open the previously encrypted macOS device.
- Click .
The MaaS360 agent prompts the user to enter their password and then regenerates the personal recovery key on the device.
Note: After escrowing the personal recovery key, administrators can use the device-level action FileVault Recovery Key to view the personal recovery key.