Category filter

How to manage FileVault

FileVault is a full disc encryption program in macOS 10.3 and later to protect your data and prevent unauthorized users from retrieving the information stored on your Mac. Once you encrypt your device, you can’t log in to your Mac without a password or recovery key. The data would be unrecognizable without entering the password. The details on the drive are made available only when the computer boots up and you sign in. All new files are encrypted automatically when saved on the device. It’s a good idea to use FileVault to avoid data being compromised if a Mac is misplaced or damaged.

Notes:

  • The FileVault policy is supported only on Ultimate and Ultra pricing plans.
  • Once set up, removing the policy or disassociating devices does not disable FileVault.

Enable or Disable FileVault on your Mac

You can choose to allow your end-users to enable or disable FileVault on their work deployed devices.

  1. On your Hexnode console, navigate to Policies.
  2. Create a new FileVault policy or continue with an existing policy.
  3. Provide a suitable name and description for your policy.
  4. Go to macOS > Security > FileVault. And click on Configure.
  5. Tick the box Prevent FileVault from being disabled to disable the end-users from turning off FileVault encryption on the device.
  6. Tick the box Prevent FileVault from being enabled to disable turning on FileVault.
  7. Associate the policies to target devices by navigating to Policy Targets before saving the policy.

Note that the FileVault customizations in Hexnode will be unavailable if Prevent FileVault from being enabled is checked.

Stop end-users from enabling or disabling FileVault

Difference between encryption and password protection

Encryption converts the data into a scrambled, unreadable format, thus ensuring that only authorized users receive access to the information. The primary purpose of encryption is to protect the confidentiality of the content. Password protection, on the other hand, ensures security by locking the data with a password. Possession of the password would allow access to the information which in turn adds-on to vulnerability.

When a disk is encrypted, even if the disk is removed from the Mac and connected to another device, the data remains encrypted and safe. If just password-protected, the data in the disk can be easily accessed by simply removing it from the Mac.

Enable FileVault on macOS devices

There are several ways to encrypt your macOS devices.

  • Institutional Recovery Key
  • Personal Recovery Key
  • Institutional and Personal Recovery Key

Institutional Recovery Key

These are used by organizations or institutions that require a common key to decrypt all their devices.

If you lose or forget the password, the IRK certificate must be protected with a new password and downloaded once again. An advantage of using IRK is that if the key is lost or corrupted, a new key can be downloaded from the portal itself.

Note:

Supported certificate file formats- .cer, .crt, .pem, .der, .p7b, .p12

Encrypting Mac using Institutional Recovery Key

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on Mac devices.
  4. From the drop-down list, select the Institutional Recovery Key option.
  5. By default, the encryption certificate used is HexnodeMDMFileVaultCertificate. Click on Upload New to upload a new Encryption certificate.
  6. Selecting the Skip enabling FileVault at user login option lets the admin set the number of times users can skip enabling FileVault when the user logs in to the Mac.
  7. Select the option Require user to unlock FileVault after hibernation to enforce a password to unlock the FileVault after hibernation and to restore the disk to its last saved state.
  8. Next, associate the policy to target devices by navigating to the Policy Targets tab.
  9. Select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
  10. Click Save.

Encrypt Mac using Institutional Recovery key

Creating an encryption certificate

To use a new encryption certificate, the administrator must first create the certificate and upload it to the UEM portal.

You can create and export the recovery key with or without a private key.

Note:

A computer running macOS 10.8 or later is needed

  1. On a macOS computer (10.8+), open Terminal and execute the command:
  2. You’ll be asked to enter a password for the new keychain. Re-enter the password again to confirm the password.
  3. A new keychain FileVaultMaster.keychain will be created on your desktop. You can use this file as the private recovery key to decrypt the startup disc of any FileVault-configured Mac. Therefore, store this file in a safe location such as an external drive or a disk image to use later during decryption.
  4. Open the Keychain Access by double-clicking on the FileVaultMaster.keychain file located on your desktop. From the left sidebar menu, choose FileVaultMaster. If multiple items are displayed on the right, choose another keychain from the left sidebar. Then, click on FileVaultMaster again to refresh the list to show only two items.
  5. A certificate (FileVault Recovery Key) and private key (FileVault Master Password Key) can be seen. Select only the certificate if you want to export the recovery key without the private key. Otherwise, select both.
    Note:

    • If you are exporting the certificate without the private key, you should store it in a secure place to use it during decryption.

  6. From File, select Export Items. Choose the file format as .p12 and specify the location where the file is to be saved and click Save.
  7. You will be asked to enter a password that will be used to protect the exported items. Enter and verify the password. Click OK. This password is required while uploading the certificate to the portal.
  8. Quit Keychain Access.

The FileVault recovery key and private key (only if exported) will be saved to the specified location. Upload this file to your Hexnode UEM portal.

Decrypting the device using Institutional Recovery Key

Pre-requisites:

  • Make sure that you know the name and format of the startup disk. If not, open Disk Utility from Applications > Utilities. Then check for the required name and format details. This information will be required at a later stage. The format of the startup disk will be Mac OS Extended if you see ‘CoreStorage Logical Volume Group’ instead of ‘APFS Volume’ or ‘Mac OS Extended’.

To decrypt a device using IRK,

  1. If a new encryption certificate is uploaded instead of the default Hexnode MDM FileVault Certificate while configuring the policy,
    • From the system where the uploaded keychain was created, copy the FileVaultMaster.keychain along with the private key to an external drive.
    • Navigate to step 3.
  2. If Hexnode MDM FileVault Certificate is selected as the encryption certificate,
    • Navigate to Admin > General Settings.
    • Under FileVault Settings, you have the option to download Hexnode MDM FileVault Certificate. Enter the password in the space provided and click on the download button on the right.
    • On the OS X machine, navigate to Applications > Utilities and open Keychain Access.
    • Create a new Keychain by navigating to File > New Keychain. Drag and drop the recovery key downloaded previously. You can see a private key and a certificate.
    • Copy the new FileVault Keychain created to an external drive. This file resides in Users\User\Library\Keychains.
    • Navigate to step 3.
  3. Decrypting the client machine

    To unlock the keychain,

    • Restart your client machine while holding Command and R keys.
    • Connect the external drive containing the keychain file to the client machine.
    • Select Terminal from the Utilities folder.
    • Execute the following command to mount the disk image if the private recovery key was stored in a disk image:
    • Unlock the FileVault master keychain using the following command:
    • Enter the master password to unlock the keychain.

    To unlock the encrypted volume,

    • Follow the steps below if your device is using Apple File System (APFS):
      1. Run the following command to unlock the encrypted volume:
      2. Enter the master password to unlock the keychain and mount the startup disk.
      3. Now, you can retrieve files using command-line tools such as ditto or use Disk Utility after closing the Terminal.
    • Here are the extra steps that you must execute if your device is using Mac OS Extended:
      1. Run the below command to list the drives and core storage volumes:
      2. Search for the UUID of the logical volume and copy the UUID.
      3. To unlock the encrypted volume, run the following command:
      4. Enter the master password to unlock and mount the encrypted volume.
      5. Now, you can retrieve files using command-line tools such as ditto or use Disk Utility after closing the Terminal. You can also run the following command to decrypt the volume:
Note:

The Institutional Recovery Key cannot be used to decrypt Mac devices with M1 chip or macOS Big Sur and above because the user needs to authenticate with the admin credentials or Personal Recovery Key for accessing Utilities in the Recovery Mode.

Personal Recovery Key

Personal Recovery Keys are alphanumeric strings that are generated at the time of encryption. These are automatically generated keys the user will receive before the encryption process. Each key is unique to the machine being encrypted. The user must note down this key as it is not automatically recorded anywhere. However, you can escrow the key to Hexnode for safekeeping. This enables you to retrieve the key from Hexnode if you lose it.

Encrypting Mac using Personal Recovery Key

 Manage Filevault with Hexnode MDM

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on mac devices.
  4. Select the Personal Recovery Key option to encrypt the devices using a Personal Recovery Key.
  5. As this key is not automatically stored anywhere, you can encrypt the key with a certificate and report it to Hexnode for safekeeping. To do so, enable the option Escrow Personal Recovery Key and then set up the escrow key configurations.
  6. Select the Show Personal Recovery Key to user option to display the recovery key to the user. The user must make a note of this key as it is not recorded in the portal if the option Escrow Personal Recovery Key is not enabled. By default, this option is enabled.
  7. Choosing the option Skip enabling FileVault at user login allows the administrator to specify the number of times the user can skip the prompt to turn on FileVault as the user logs in to the device.
  8. Enable the option Require user to unlock FileVault after hibernation to mandate the device password to unlock FileVault after hibernation and to restore the disk to its last saved state.
  9. Go to Policy Targets. Select +Add devices to add the devices. Finally, click on Save to associate the policy with the devices.

After successfully pushing the policy to your device, you will need to restart your device and enter the password for your Mac, when prompted.

Now, you’ll get an alert informing you that FileVault is being enabled on your volume.

Within a few minutes, you’ll get the FileVault Recovery Key as a popup message. You’ve to note down this key as it will not be recorded elsewhere. Then you can click on Continue, so that your device will turn on after completing the boot process.

Note:

When you come across a circumstance in which an encrypted Mac is decrypted and then re-encrypted, a new personal recovery key will be generated and the old recovery key would be refuted.

Now, the encryption begins. The time taken to complete the encryption depends on how much information is stored on your Mac.

On your Mac, you can see the encryption process when you head on to System Preferences > Security & Privacy > FileVault.

Encrypt macOS devices using FileVault
Note:

While encrypting, you’ve to check if your device is plugged into an electrical outlet. If not, the encryption process may pause until you connect the power plug.

Resume FileVault disk encryption on the device

Decrypting the device using the Personal Recovery Key

If you are decrypting your device with a Personal Recovery Key, you must enter the key when prompted and the device will be decrypted.

Note:

If you lose your personal recovery key, the device cannot be decrypted. You will have to perform a factory reset to restore your device.

Institutional and Personal Recovery Key

This is the recommended method. In this method, an institutional recovery key as well as a personal recovery key will be generated for the user. The advantage of this method is that, in the event of your personal recovery key being lost, you can still use the institutional recovery to decrypt your device.

Encrypting Mac using institutional and Personal Recovery Key

FileVault Encryption using Institutional-and-Personal-Recovery-Key

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on Mac devices.
  4. From the drop-down list, select the option Institutional and Personal Recovery Key.
  5. By default, the encryption certificate used is HexnodeMDMFileVaultCertificate. Click on Upload new certificate to upload a new Encryption certificate.
  6. If you want to encrypt the personal recovery key with an auto-generated or custom certificate and keep it in Hexnode, enable the option Escrow Personal Recovery Key. Then set up the escrow key configurations.
  7. Enable the option Show Personal Recovery Key to user to show the recovery key to the user on the FileVault screen. The users should note down this key as it is necessary to decrypt the device. If the option Escrow Personal Recovery Key is not enabled, the key will not be recorded on the portal. The users will have to wipe the devices if they lose the key.
  8. Select the Skip enabling FileVault at user login option if you want to skip enabling FileVault when the user logs in to the mac device. You can set the number of skip attempts.
  9. If you enable the option Require user to unlock FileVault after hibernation, the user will have to unlock FileVault with the password after the device awakes from hibernation. Thus, the disk restores its saved state only after the user unlocks FileVault.
  10. Move to Policy Targets > +Add devices. Add all the necessary macOS devices to apply the FileVault policy.
  11. Click Save.

Decrypting the device using Institutional and Personal Recovery Key

You can use either of the keys to decrypt your device.

Note:

For an encrypted device with a FileVault Policy, applying another FileVault policy has no effect.

Escrow Personal Recovery Key

If the macOS is configured to be encrypted using the Personal Recovery Key, the system will generate a string of alphanumeric characters before the encryption initiation. The string of characters is referred to as the Personal Recovery Key. It is displayed only once and thus cannot be re-generated. So, if the recovery key is lost, you have to erase the device to reuse it. However, with Hexnode, you have the option to escrow the recovery key into Hexnode. This enables the users to retrieve the recovery key from the UEM to unlock the encrypted disk even if it is lost.

You will have the option to escrow the personal recovery key, if you choose to encrypt your device using the Personal Recovery Key or Institutional and Personal Recovery Key.

To escrow the recovery key,

  1. Create a new FileVault encryption policy or edit an already existing one.
  2. Check the option Escrow Personal Recovery Key. This enables Hexnode to retrieve and back up the recovery key generated by the system. The key will be encrypted before it is reported to Hexnode. This feature is supported on all macOS devices running v10.13 or later.
  3. Enter a small description of the escrow location to give users insights on where the recover key is escrowed in the field Escrow location description. This text will be shown to the user on the FileVault recovery key screen.
  4. Enter a message to be displayed next to the Record Number in the FileVault recovery screen in the “Record Number” message field. This value will be shown to the user along with the serial number of the device on the screen where they are asked to enter the recovery key. If the user forgets this key, they can give this record number to IT to help them find the device in Hexnode easily. IT can revert the escrowed recovery key back to the user once they identify the device. Therefore, this key should be a unique identifier of the device, for example, the device ID.
  5. Now, choose the method to encrypt the recovery key escrowed to Hexnode. You will have the following options:
    1. Allow Hexnode to automatically encrypt and decrypt the recovery key: If selected, Hexnode will automatically encrypt the recovery key before recording it in the UEM and automatically decrypt the key if requested.
    2. Manually specify the encryption key: Select the encryption certificate that should be used to encrypt the recovery key from the drop-down. To add a new certificate to the drop-down, navigate to Policies > macOS > Security > Certificates and add a new one there. If this option is selected, you should use the same certificate to decrypt the recovery key.
  6. Navigate to Policy Targets and click on +Add devices to add the devices you wish to associate the policy with. Click Save.

Escrow the mac Personal recovery key to hexnode

Note:


The escrow recovery key will not be updated in the portal if any changes are made to the FileVault escrow key configuration after the encryption initiation.

Retrieve the Personal Recovery Key

To retrieve the Personal Recovery Key escrowed to Hexnode,

  1. On your Hexnode console, navigate to Manage > Devices.
  2. Click on the required device to land on the ‘Device Summary’ page.
  3. Go to Device Info > Security Info.
  4. Click on Decrypt FileVault Recovery Key.
  5. From the pop-up menu, specify whether Hexnode has automatically encrypted your FileVault Recovery Key or the key was encrypted using a selected certificate.
    1. If the FileVault Recovery Key was encrypted automatically by Hexnode, click on Decrypt.
    2. If the recovery key was encrypted using a certificate, choose the certificate to decrypt the key and then click on Decrypt.

The key will be displayed next to FileVault Recovery Key; this can be used to decrypt the macOS disk.

Note:


The FileVault Recovery Key cannot be retrieved if the device was encrypted before enrollment or before a FileVault policy was associated with it. Learn more about FileVault decryption on an already encrypted Mac.

Exception:


If you encounter an issue, “This recovery key might not be valid because the current recovery key is not retrievable.” while retrieving the recovery key, try turning off the device’s FileVault before applying the FileVault policy. Learn more

How to create certificates for FileVault recovery key encryption?

As mentioned earlier, the FileVault recovery key can be encrypted using a custom encryption certificate as opposed to Hexnode automatically encrypting and decrypting the key. Follow the steps mentioned below to create a custom encryption certificate.

On a Mac, open Terminal and run the command:

Upload “public.crt” corresponding to the option ‘Manually specify the encryption key’ in the policy for encryption using that certificate.

To decrypt the recovery key, upload “rsa_private.pem” in the ‘Decrypt FileVault Recovery Key’ pop-up.

Note:

  • If FileVault is already enabled on the device, associating a new FileVault policy or editing an associated policy won’t take effect on the device. In such cases, the device needs to be decrypted first, then apply the policy to initiate the encryption.
  • However, you can edit an already associated policy to disable the option ‘Prevent FileVault from being disabled’, if enabled earlier. The user need not decrypt and re-enable FileVault for the change to be applied to the device. Similarly, you can also enable this option if it was disabled earlier. The updated policy is automatically associated with the device.
  • Yet, options like Encrypt using, Escrow Personal Recovery Key, and Encryption certificate cannot be changed once the policy is in effect and FileVault is already enabled.

What happens at the device end?

The filevault settings are disabled

Once the policy is associated, users will not be able to modify the FileVault settings under System Preferences > Security & Privacy > FileVault. The settings as configured in the policy will be Enforced.

  • Managing Mac Devices