1. Home
  2. macOS
  3. How to Manage FileVault with Hexnode MDM

How to Manage FileVault with Hexnode MDM

FileVault is a full disc encryption program in Mac OSX 10.3 and later to protect your data and prevent unauthorized users from retrieving the information stored on your Mac. Once you encrypt your device, anyone without a password or recovery key will be unable to log in to your Mac. Without entering the password, the data remains unrecognizable. Once your device boots up and you log in, the data on the drive is made available once again. Any new files are automatically encrypted as they are saved to your machine. It is a good idea to use FileVault so that if a Mac was misplaced or lost, the data would not be compromised.

The whole disc encryption appears seamless while you use the computer.

Note

Once set up, removing the policy or disassociating devices does not disable FileVault.

Difference between encryption and password protection

Encryption converts the data into a scrambled, unreadable format thus ensuring that only authorized users receive access to the information. The primary purpose of encryption is to protect the confidentiality of the content. Password protection, on the other hand, ensures security by locking the information with a password. Possession of the password would allow access to the information which in turn adds-on to vulnerability.

When a disk is encrypted, even if the disk is removed from the Mac and connected to another device, the data remains encrypted and safe. If just password-protected, the data in the disk can be easily accessed by simply removing it from the Mac.

There are several ways to encrypt your macOS devices.

  • Institutional Recovery Key
  • Personal Recovery Key
  • Institutional and Personal Recovery Key

Institutional Recovery Key

These are used by organizations or institutions that require a common key to decrypt all their devices.

If you lose or forget the password, the IRK certificate must be protected with a new password and downloaded once again. An advantage of using IRK is that if the key is lost or corrupted, a new key can be downloaded from the portal itself.

Note:

Supported certificate file formats- .cer, .crt, .pem, .der, .p7b, .p12

Encryption using Institutional Recovery Key

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on Mac devices.
  4. From the drop-down list, select the Institutional Recovery Key option.
  5. By default, the encryption certificate used is HexnodeMDMFileVaultCertificate. Click on Upload New to upload a new Encryption certificate.
  6. Selecting the Skip enabling FileVault at user login option lets admin set the number of times users can skip enabling FileVault when the user logs in to the Mac device.
  7. Navigate to Policy Targets and click on +Add devices to add the Mac devices you wish to associate the policy to. Click Save.
Note:

Steps 1,2,3 and 6 are common to all the FileVault encryption methods.

Manage Filevault with Hexnode MDM

Creating an encryption certificate

To use a new encryption certificate, the administrator must first create the certificate and upload it to the MDM portal.

You can create and export the recovery key with or without a private key.

Note:

A computer running macOS 10.8 or later is needed

  1. On a macOS computer (10.8+), open terminal and execute the command:
  2. sudo security create-filevaultmaster-keychain /Library/Keychains/FileVaultMaster.keychain
  3. You’ll be asked to enter your login password.
  4. Enter and retype a password for the new keychain. A keychain FileVaultMaster.keychain will be created in the location /Library/Keychains/
  5. Open terminal and run the following command to unlock the keychain:
  6.  security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
  7. Enter the previously created password to unlock the keychain.
  8. Copy the keychain and save it in a safe location such an external drive.
  9. Go to Utilities > Open Keychain Access.
  10. Click on File > Add keychain > Select FileVaultMaster.keychain located in /Library/Keychains/ and Add.
  11. Select FileVaultMaster under Keychains from the left side menu and select All items under Category.
  12. A certificate (FileVault Recovery Key) and private key (FileVault Master Password Key) can be seen. Select only the certificate if you want to export the recovery key without the private key. Otherwise select both.
  13. Note:

    If you are exporting the certificate without the private key, you should store it in a secure place to use it during decryption.

  14. From File, select Export Items. Choose the file format as .p12, specify the location where the file is to be saved and Save.
  15. You will be asked to enter a password which will be used to protect the exported items. Enter and verify the password. Click OK.
  16. This password is required while uploading the certificate to the portal.

  17. Quit Keychain Access.

The filevault recovery key and private key (only if exported) will be saved to the specified location.
Upload this file to your Hexnode MDM portal.

Decryption using Institutional Recovery Key

To decrypt a device using IRK,

  1. If a new encryption certificate is uploaded instead of the default Hexnode MDM FileVault Certificate while configuring the policy,
    • From the system where the uploaded keychain was created, copy the FileVaultMaster.keychain along with the private key to an external drive.
    • Navigate to step 3.
  2. If Hexnode MDM FileVault Certificate is selected as the encryption certificate,
    • Navigate to Admin > General Settings.
    • Under FileVault Settings, you have an option to download Hexnode MDM FileVault Certificate. Enter the password in the space provided and click on the download button on the right.
    • On the OS X machine, navigate to Applications > Utilities and open Keychain Access.
    • Create a new Keychain. Drag and drop the recovery key downloaded previously. You can see a private key and a certificate.
    • Copy the new FileVault Keychain created to an external drive. This file resides in Users\User\Library\Keychains.
    • Navigate to step 3.
  3. Decrypting the client machine
    • Restart your client machine while holding Command and R keys.
    • Connect the external drive containing the keychain file to the client machine.
    • Select Terminal from the Utilities folder.
    • Unlock the keychain file using the following command
    • security unlock-keychain "path to the key chain"
    • Enter the master password to unlock the keychain. If the password is accepted the command prompt returns.
    • Run the following command to list the drives and corestorage volumes:
    • diskutil cs list
    • Search for the UUID of the logical volume and copy the UUID
    • To unlock the encrypted script,run the following command
    • diskutil cs unlockVolume "UUID" -recoveryKeychain "path to the keychain"
    • Enter the master password to unlock the keychain and mount the startup disk.
    • Use command-line tools such as ditto to back up the data on the disk. Or quit Terminal and use Disk Utility. Or use the following command to decrypt the unlocked disk and start up from it:
    • diskutil cs decryptVolume "UUID" -recoveryKeychain path to the keychain"

Personal recovery key

Personal Recovery Keys are alphanumeric strings that are generated at the time of encryption. These are automatically generated keys the user will receive upon completion of encryption process. Each key is unique to the machine being encrypted. The user must note down this key as it is not recorded anywhere in the portal.

Encryption using Personal Recovery Key

Manage Filevault with Hexnode MDM

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on mac devices.
  4. Select the Personal Recovery Key option to encrypt the devices using a Personal Recovery Key.
  5. Select the Show Personal Recovery Key to user option to display the recovery key to the user. User must make a note of this key as it is not recorded in the portal. By default, this option is enabled.
  6. Selecting the Skip enabling FileVault at user login option lets admin set the number of times users can skip enabling FileVault when the user logs in to the mac device.
  7. Navigate to Policy Targets and click on +Add devices to add the mac devices you wish to associate the policy to. Click Save.

After successfully pushing the policy to your device, you will need to restart your device and enter the password for your Mac, when prompted.

Now, you’ll get an alert informing that the FileVault is being enabled on your volume.

Within a few minutes, you’ll get the FileVault Recovery Key as a popup message. You’ve to note down this key as it will not be recorded elsewhere. Then you can click on Continue, so that your device will turn on after completing the boot process.

Note:

When you come across a circumstance in which an encrypted Mac is decrypted and then re-encrypted, a new personal recovery key will be generated and the old recovery key would be refuted.

Now, the encryption begins. The time taken to complete the encryption depends on how much information is stored in your Mac.

On your Mac, you can see the encryption process when you head on to System Preferences > Security & Privacy > FileVault.

macOS-FileVault-Encryption

Note:

While encrypting, you’ve to check if your device is plugged into an electrical outlet. If not, the encryption process may pause until you connect the power plug.

macOS-FileVault-Encryption-paused

Decryption using Personal Recovery Key

If you are decrypting your device with a Personal Recovery Key, you must enter the key when prompted and the device will be decrypted.

Note:

If you lose your personal recovery key, the device cannot be decrypted. You will have to perform a factory reset to restore your device.

Institutional and Personal Recovery Key

This is the recommended method. In this method, an institutional recovery key as well as a personal recovery key will be generated for the user. The advantage of this method is that, in the event of your personal recovery key being lost, you can still use the institutional recovery to decrypt your device.

Encryption using Institutional Recovery Key

Manage Filevault with Hexnode MDM

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on mac devices.
  4. From the drop-down list, select the option Institutional and Personal Recovery Key.
  5. By default, the encryption certificate used is HexnodeMDMFileVaultCertificate.Click on Upload New to upload a new Encryption certificate.
  6. Select the Skip enabling FileVault at user login option if you want to skip enabling FileVault when the user logs in to the mac device. You can set the number of skip attempts.
  7. Navigate to Policy Targets and click on +Add devices to add the mac devices you wish to associate the policy to. Click Save.

Decryption using Institutional Recovery Key

You can use either of the keys to decrypt your device.

Note:

For an encrypted device with a FileVault Policy, applying another FileVault policy has no effect.

  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment