Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Steps to Configure and Manage FileVault for macOS via Hexnode

Jump To

Overview

FileVault is a built-in macOS security feature that uses XTS-AES-128 encryption with a 256-bit key to prevent unauthorized access to the information on a startup disk. By using Hexnode UEM, IT administrators can centrally enforce FileVault, manage recovery keys, and ensure that corporate data remains encrypted without manual user intervention.

Prerequisites

Before deploying the policy, ensure the following requirements are met:

  • OS Version: macOS 10.13 (High Sierra) or later.
  • Enrollment: Devices must be enrolled in Hexnode UEM.
  • Hardware: FileVault works on both Intel-based Macs and Apple Silicon Macs.
  • Secure Token: The user account enabling FileVault must have a valid Secure Token. (On macOS 10.13+, mobile/Active Directory accounts do not get this automatically; local accounts do).
  • Power Source: The device should be plugged into an electrical outlet during encryption, or the process may pause.

Step 1: Create a FileVault Policy in Hexnode

  1. Log in to your Hexnode UEM Portal.
  2. Navigate to the Policies tab.
  3. Click New Policy > Create a fully custom policy or edit an existing macOS policy.
  4. Provide a Policy Name (e.g., “macOS Security – FileVault Encryption”).
  5. On the left-hand sidebar, navigate to macOS > Security > FileVault.
  6. Click Configure.

Screenshot of the Hexnode UEM console showing the Policies tab. The FileVault section under 'macOS - Security' is selected from the left-hand menu, displaying the option to click 'Configure' to set up a Hexnode FileVault policy.

Step 2: Configure Encryption Settings

Define how FileVault should behave on the target Macs by selecting Enable FileVault. You will then configure the following behavior:

  • Skip enabling FileVault at user login: Define how many times a user can skip or bypass the FileVault setup prompt at login before they are forced to enable it.
  • Require user to unlock FileVault after hibernation: Enforce a password to unlock FileVault after hibernation and restore the disk to its last saved state.
  • Prevent FileVault from being disabled: Check this box to stop end-users from turning off FileVault encryption locally on their Mac.

Step 3: Manage Recovery Keys (Escrow)

Managing the recovery key is the most critical part of MDM-based encryption. Hexnode offers three distinct methods for recovery keys:

  1. Institutional Recovery Key (IRK): A common certificate used across the entire fleet. By default, Hexnode uses the HexnodeMDMFileVaultCertificate. You can upload a custom certificate (Supported formats: .cer, .crt, .pem, .der, .p7b, .p12).
  2. Personal Recovery Key (PRK): A unique alphanumeric key generated for each device. Recommended for most businesses.
  3. Institutional and Personal Recovery Key (Recommended): Generates both. This is the safest method as it allows the user to use their unique PRK, but gives the IT admin an IRK as a failsafe if the PRK is lost.

Crucial Settings for PRK:

  • Escrow Personal Recovery Key: Enable this to securely send and store the PRK in the Hexnode portal. You can choose to let Hexnode automatically encrypt/decrypt the key, or manually specify an encryption key.
  • Escrow location description: Enter a brief description that the end-user will see, explaining where their recovery key is being stored (e.g., “Your recovery key will be securely sent to the IT Department”).

Step 4: Assign the Policy

  1. Navigate to the Policy Targets tab.
  2. Select the Devices, Device Groups, Users, User Groups or Domains/OUs to whom the encryption policy should apply.
  3. Click Save.

Monitoring and Recovery

Retrieving the Recovery Key

If a user forgets their password and is locked out:

  1. Go to Manage > Devices and select the device.
  2. Navigate to Device Info > Security Info > FileVault Recovery Key.
  3. Click Decrypt. (If encrypted with a custom certificate, you must upload the private .pem key to decrypt it).
  4. Provide the key to the user.

Verifying Key Status via Reports

You can audit your fleet’s escrow status by navigating to Reports > Built-in Reports > Device > Enrolled Devices. The FileVault Personal Recovery key column will show:

  • Decrypted key: Successfully escrowed.
  • Failed: The key was not fetched despite the policy being active.
  • N/A: FileVault is enabled and fetched, but not decrypted yet.
  • FileVault disabled: FileVault is off.

Troubleshooting Common FileVault Errors

1. Error: “An unexpected master password keychain was found.”

  • Cause: Often occurs when enabling FileVault via PRK.
  • Fix: Navigate to /Library/Keychains/ and delete the FileVaultMaster.keychain file. Restart the device.

2. FileVault fails to enable due to missing Secure Token

  • Cause: The user account (especially AD/mobile accounts) doesn’t have a secure token.
  • Fix:
    • Open Terminal and execute the following command:
    • Log out of the Mac, then log back into the account for the changes to take effect.
    • Need more help?
    Image of Raise a Ticket Raise a Ticket
    Image of Ask Community Ask Community
    Image of Chat With us Chat With us
    Solution Framework