Disk Encryption Configurations

You can use disk encryption configuration in Jamf Pro to manage and enable FileVault on computers with macOS 10.8 or later.

You can set the following with a disk encryption configuration:

  • The type of recovery key to use for recovering encrypted data. There are three recovery key options you can choose from:

    • Individual (also known as “Personal”)—Uses a unique alphanumeric recovery key for each computer. The individual recovery key is generated on the computer and sent back to Jamf Pro to be escrowed when the encryption takes place.

    • Institutional—Uses a shared recovery key. This requires you to create the recovery key with Keychain Access and upload it to Jamf Pro for storage.

    • Individual and Institutional—Uses both types of recovery keys.

  • The user for which to enable FileVault. You can use one of the following options:

    • Management Account—Makes the management account on the computer the enabled FileVault user.

      Note: The management account cannot be used to enable FileVault for computers with macOS 10.13 or later if the account was created with Jamf Pro due to the lack of a SecureToken.

      If you make the management account the enabled FileVault user on computers with macOS 10.9–10.12.x, or macOS 10.14 or later, you will be able to issue a new recovery key to those computers later if necessary.

    • Current or Next User—Makes the user that is logged in to the computer when the encryption takes place the enabled FileVault user. If no user is logged in, the next user to log in becomes the enabled FileVault user.

The event that activates FileVault depends on the enabled FileVault user specified in the disk encryption configuration. Consider the following scenarios:

  • If the enabled user is Management Account, FileVault is activated on a computer the next time the computer restarts.

  • If the enabled user is Current or Next User, FileVault is activated on a computer the next time the current user logs out or the computer restarts. You can also configure the policy to defer FileVault enablement until after multiple user logins have occurred.

Creating a Disk Encryption Configuration

Requirements

To use either the “Institutional” recovery key or the “Individual and Institutional” recovery key options in the disk encryption configuration, you must first create and export a recovery key using Keychain Access. For more information, see the Creating and Exporting an Institutional Recovery Key in the Administering FileVault on macOS 10.14 or Later with Jamf Pro technical paper.

Procedure

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81553169/Icon_Settings_Hover.png .

  3. Click Computer Management.

  4. In the “Computer Management” section, click Disk Encryption Configurations images/download/thumbnails/81553169/Disk_Encryption_Configurations.png .

  5. Click New images/download/thumbnails/81553169/Icon_New_Button.png .

  6. Configure the disk encryption configuration using the fields and options on the pane.

  7. Click Save images/download/thumbnails/81553169/floppy-disk.png .

Your disk encryption configuration can now be deployed to computers.

Deploying a Disk Encryption Configuration Using a Policy

Requirements

To enable FileVault on a computer, the computer must be running macOS 10.8 or later and have a “Recovery HD” partition.

Procedure

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/81553169/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.

  6. Select the Disk Encryption payload and click Configure.

  7. Choose "Apply Disk Encryption Configuration" from the Action pop-up menu.

  8. Choose the disk encryption configuration you want to deploy from the Disk Encryption Configuration pop-up menu.

    Note: Options are only displayed in the Disk Encryption Configuration pop-up menu if one or more configurations are configured in Jamf Pro.

  9. Choose an event from the Require FileVault2 pop-up menu to specify when users must enable disk encryption.

  10. Use the Restart Options payload to configure settings for restarting computers.

  11. Click the Scope tab and configure the scope of the policy.
    For more information, see Scope.

  12. (Optional) Click the Self Service tab and make the policy available in Self Service.
    For more information, see Items Available to Users in Jamf Self Service for macOS.

  13. (Optional) Click the User Interaction tab and configure messaging and deferral options.
    For more information, see User Interaction with Policies.

  14. Click Save images/download/thumbnails/81531754/floppy-disk.png .

The policy is deployed to computers the next time they check-in with Jamf Pro. FileVault will be enabled for the user selected in the disk encryption configuration.

Issuing a New FileVault Recovery Key Using a Policy

You can use a policy to issue a new FileVault recovery key to computers with macOS 10.9–10.12.x, or macOS 10.14 or later that are FileVault-enabled.

This allows you to do the following:

  • Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-encrypt the computers.

  • Replace an individual recovery key that has been reported as invalid and does not match the recovery key escrowed in Jamf Pro.

Note: You can create a smart group to verify the recovery key on computers on a regular basis. For information on FileVault smart group criteria, see the Smart Group and Advanced Search Criteria for FileVault 2 and Legacy FileVault Knowledge Base article.

Requirements

To issue a new individual recovery key to a computer, the computer must have the following:

  • macOS 10.9–10.12.x, or macOS 10.14 or later

  • A “Recovery HD” partition

  • FileVault enabled

  • One of the following two conditions met:

    • The management account configured as the enabled FileVault user

    • An existing, valid individual recovery key that matches the key stored in Jamf Pro

To issue a new institutional recovery key to a computer, the computer must have the following:

  • macOS 10.9–10.12.x

  • A “Recovery HD” partition

  • FileVault enabled

  • The management account configured as the enabled FileVault user

Procedure

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/81553169/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
    For an overview of the settings in the General payload, see General Payload.

  6. Select the Disk Encryption payload and click Configure.

  7. Choose "Issue New Recovery Key" from the Action pop-up menu.

  8. Select the type of recovery key you want to issue:

    • Individual—A new individual recovery key is generated on each computer and then submitted to Jamf Pro for storage.

    • Institutional—A new institutional recovery key is deployed to computers and stored in Jamf Pro.
      To issue a new institutional recovery key, you must choose the disk encryption configuration that contains the institutional recovery key you want to use.

    • Individual and Institutional—Issues both types of recovery keys to computers.

  9. Use the Restart Options payload to configure settings for restarting computers.
    For more information, see Restart Options Payload.

  10. Click the Scope tab and configure the scope of the policy.
    For more information, see Scope.

  11. (Optional) Click the Self Service tab and make the policy available in Self Service.
    For more information, see Items Available to Users in Jamf Self Service for macOS.

  12. (Optional) Click the User Interaction tab and configure messaging and deferral options.
    For more information, see User Interaction with Policies.

  13. Click Save images/download/thumbnails/81531754/floppy-disk.png .

Related Information

For related information, see the following sections in this guide:

For related information, see the following Knowledge Base article:

Smart Group and Advanced Search Criteria for FileVault 2 and Legacy FileVault
Learn about the smart computer group and advanced computer search criteria available for

For related information, see the following technical paper:

Administering FileVault on macOS 10.14 or Later with Jamf Pro
Get step-by-step instructions for administering FileVault on macOS 10.14 or later, including how to activate FileVault disk encryption using a configuration profile.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.