Disk Encryption Configurations

You can use disk encryption configuration in Jamf Pro to manage and enable FileVault on computers.

You can set the following with a disk encryption configuration:

  • The type of recovery key to use for recovering encrypted data. There are three recovery key options you can choose from:

    • Individual (also known as “Personal”)

      Uses a unique alphanumeric recovery key for each computer. The personal recovery key is generated on the computer and sent back to Jamf Pro to be escrowed when the encryption takes place.

    • Institutional

      Uses a shared recovery key. This requires you to create the recovery key with Keychain Access and upload it to Jamf Pro for storage.

    • Individual and Institutional

      Uses both types of recovery keys.

  • The user for which to enable FileVault. You can use one of the following options:

    • Management Account

      Makes the management account on the computer the enabled FileVault user.

      Note:

      The management account cannot be used to enable FileVault for computers with macOS 10.13 or later if the account was created with Jamf Pro due to the lack of a SecureToken.

      If you make the management account the enabled FileVault user on computers with macOS 10.9–10.12.x, or macOS 10.14 or later, you will be able to issue a new recovery key to those computers later if necessary.

    • Current or Next User

      Makes the user that is logged in to the computer when the encryption takes place the enabled FileVault user. If no user is logged in, the next user to log in becomes the enabled FileVault user.

The event that activates FileVault depends on the enabled FileVault user specified in the disk encryption configuration. Consider the following scenarios:

  • If the enabled user is Management Account, FileVault is activated on a computer the next time the computer restarts.

  • If the enabled user is Current or Next User, FileVault is activated on a computer the next time the current user logs out or the computer restarts. You can also configure the policy to defer FileVault enablement until after multiple user logins have occurred.

Bootstrap Tokens on macOS 11 or Later

If you are using Jamf Pro to escrow a Bootstrap Token on computers with macOS 11 or later, all account types can receive a SecureToken the first time a user logs in. This allows you to enable FileVault for any account type.

For more information about escrowing a Bootstrap Token with Jamf Pro, see the Manually Leveraging Apple's Bootstrap Token Functionality article.

For more information about Bootstrap Token and SecureToken on macOS, see Use secure token, bootstrap token, and volume ownership in deployments in Apple Platform Deployment.

Creating a Disk Encryption Configuration

Requirements

To use either the “Institutional” recovery key or the “Individual and Institutional” recovery key options in the disk encryption configuration, you must first create and export a recovery key using Keychain Access. For more information, see the Creating and Exporting an Institutional Recovery Key in the Administering FileVault on macOS 10.14 or Later with Jamf Pro technical paper.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Computer Management section, click Disk Encryption Configurations .
  3. Click New .
  4. Configure the disk encryption configuration using the fields and options on the pane.
  5. Click Save .

Your disk encryption configuration can now be deployed to computers.

Deploying a Disk Encryption Configuration Using a Policy

Requirements

To enable FileVault on a computer, the computer must be running macOS 10.8 or later and have a “Recovery HD” partition.

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
  5. Select the Disk Encryption payload and click Configure.
  6. Choose Apply Disk Encryption Configuration from the Action pop-up menu.
  7. Choose the disk encryption configuration you want to deploy from the Configuration pop-up menu.
    Note:

    Options are only displayed in the Disk Encryption Configuration pop-up menu if one or more configurations are configured in Jamf Pro.

  8. Choose an event from the Require FileVault 2 pop-up menu to specify when users must enable disk encryption.
  9. Use the Restart Options payload to configure settings for restarting computers.
  10. Click the Scope tab and configure the scope of the policy.
  11. (Optional) Click the Self Service tab and make the policy available in Self Service.
  12. (Optional) Click the User Interaction tab and configure messaging and deferral options.
  13. Click Save .

The policy is deployed to computers the next time they check-in with Jamf Pro. FileVault will be enabled for the user selected in the disk encryption configuration.

Issuing a New FileVault Recovery Key Using a Policy

You can use a policy to issue a new FileVault recovery key to computers with macOS 10.9–10.12.x, or macOS 10.14 or later that are FileVault-enabled.

This allows you to do the following:

  • Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-encrypt the computers.

  • Replace a personal (also known as "individual") recovery key that has been reported as invalid and does not match the recovery key escrowed in Jamf Pro.

Note:

You can create a smart group to verify the recovery key on computers on a regular basis.

Requirements

To issue a new personal recovery key to a computer, the computer must have the following:

  • macOS 10.9–10.12.x or macOS 10.14 or later

  • A “Recovery HD” partition

  • FileVault enabled

  • One of the following two conditions met:

    • The management account configured as the enabled FileVault user

    • An existing, valid personal recovery key that matches the key stored in Jamf Pro

To issue a new institutional recovery key to a computer, the computer must have the following:

  • macOS 10.9–10.12.x

  • A “Recovery HD” partition

  • FileVault enabled

  • The management account configured as the enabled FileVault user

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
  5. Select the Disk Encryption payload and click Configure.
  6. Choose Issue New Recovery Key from the Action pop-up menu.
  7. Select the type of recovery key you want to issue:
    • Individual

      A new personal (also known as "individual") recovery key is generated on each computer and then submitted to Jamf Pro for storage.

    • Institutional

      A new institutional recovery key is deployed to computers and stored in Jamf Pro.

      To issue a new institutional recovery key, you must choose the disk encryption configuration that contains the institutional recovery key you want to use.

    • Individual and Institutional

      Issues both types of recovery keys to computers.

  8. Use the Restart Options payload to configure settings for restarting computers.
  9. Click the Scope tab and configure the scope of the policy.
  10. (Optional) Click the Self Service tab and make the policy available in Self Service.
  11. (Optional) Click the User Interaction tab and configure messaging and deferral options.
  12. Click Save .