Disk Encryption Configurations
You can use disk encryption configuration in Jamf Pro to manage and enable FileVault on computers.
You can set the following with a disk encryption configuration:
The type of recovery key to use for recovering encrypted data. There are three recovery key options you can choose from:
- Individual (also known as “Personal”)—
Uses a unique alphanumeric recovery key for each computer. The personal recovery key is generated on the computer and sent back to Jamf Pro to be escrowed when the encryption takes place.
- Institutional—
Uses a shared recovery key. This requires you to create the recovery key with Keychain Access and upload it to Jamf Pro for storage.
- Individual and Institutional—
Uses both types of recovery keys.
- Individual (also known as “Personal”)—
The user for which to enable FileVault. You can use one of the following options:
- Management Account—
Makes the management account on the computer the enabled FileVault user.
Note:The management account cannot be used to enable FileVault for computers with macOS 10.13 or later if the account was created with Jamf Pro due to the lack of a SecureToken.
If you make the management account the enabled FileVault user on computers with macOS 10.9–10.12.x, or macOS 10.14 or later, you will be able to issue a new recovery key to those computers later if necessary.
- Current or Next User—
Makes the user that is logged in to the computer when the encryption takes place the enabled FileVault user. If no user is logged in, the next user to log in becomes the enabled FileVault user.
- Management Account—
The event that activates FileVault depends on the enabled FileVault user specified in the disk encryption configuration. Consider the following scenarios:
If the enabled user is Management Account, FileVault is activated on a computer the next time the computer restarts.
If the enabled user is Current or Next User, FileVault is activated on a computer the next time the current user logs out or the computer restarts. You can also configure the policy to defer FileVault enablement until after multiple user logins have occurred.
Bootstrap Tokens on macOS 11 or Later
If you are using Jamf Pro to escrow a Bootstrap Token on computers with macOS 11 or later, all account types can receive a SecureToken the first time a user logs in. This allows you to enable FileVault for any account type.
For more information about escrowing a Bootstrap Token with Jamf Pro, see the Manually Leveraging Apple's Bootstrap Token Functionality article.
For more information about Bootstrap Token and SecureToken on macOS, see Use secure token, bootstrap token, and volume ownership in deployments in Apple Platform Deployment.
Creating a Disk Encryption Configuration
To use either the “Institutional” recovery key or the “Individual and Institutional” recovery key options in the disk encryption configuration, you must first create and export a recovery key using Keychain Access. For more information, see the Creating and Exporting an Institutional Recovery Key in the Administering FileVault on macOS 10.14 or Later with Jamf Pro technical paper.
- In Jamf Pro, click Settings
in the top-right corner of the page.
- In the Computer Management section, click Disk Encryption Configurations
.
- Click New
.
- Configure the disk encryption configuration using the fields and options on the pane.
- Click Save
.
Your disk encryption configuration can now be deployed to computers.
Deploying a Disk Encryption Configuration Using a Policy
To enable FileVault on a computer, the computer must be running macOS 10.8 or later and have a “Recovery HD” partition.
The policy is deployed to computers the next time they check-in with Jamf Pro. FileVault will be enabled for the user selected in the disk encryption configuration.
Issuing a New FileVault Recovery Key Using a Policy
You can use a policy to issue a new FileVault recovery key to computers with macOS 10.9–10.12.x, or macOS 10.14 or later that are FileVault-enabled.
This allows you to do the following:
Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-encrypt the computers.
Replace a personal (also known as "individual") recovery key that has been reported as invalid and does not match the recovery key escrowed in Jamf Pro.
You can create a smart group to verify the recovery key on computers on a regular basis.
To issue a new personal recovery key to a computer, the computer must have the following:
macOS 10.9–10.12.x or macOS 10.14 or later
A “Recovery HD” partition
FileVault enabled
One of the following two conditions met:
The management account configured as the enabled FileVault user
An existing, valid personal recovery key that matches the key stored in Jamf Pro
To issue a new institutional recovery key to a computer, the computer must have the following:
macOS 10.9–10.12.x
A “Recovery HD” partition
FileVault enabled
The management account configured as the enabled FileVault user