By Megan Anderson Posted November 25, 2019
Full disk encryption (FDE) is one of the most valuable security measures an IT organization can enforce to keep their confidential information secure. Apple® has made it relatively straightforward to implement FDE with its bundled solution, FileVault2, but the challenge for IT admins is to implement it in a scalable way throughout their enterprises. Here, we will guide you on how to make implementation of FDE on macOS® systems more manageable.
What is Full Disk Encryption?
The short explanation of full disk encryption is that it’s the process of converting “on-disk” data into unreadable code that cannot be deciphered by anyone unauthorized to access it. When FDE is enabled through a software like FileVault2, users can decrypt the information on their macOS system by entering the correct password or providing their recovery key. Without the recovery key or any form of backup authentication, the data on a user’s Mac device could be lost.
How Full Disk Encryption Works on Mac
Full disk encryption on macOS is enabled through FileVault2, which can be turned on for a user as long as they have a Secure Token. (Without a Secure Token on modern macOS versions, FileVault2 cannot be enabled for a user.) The most straightforward method to obtain Secure Tokens for users is to create users manually on their device. Users with Tokens can be made remotely, albeit with a few extra steps.
Once FileVault2 is enabled, a recovery key is generated for the user. That recovery key is the only way to decrypt the Mac should the user be locked out of their account for a number of reasons, among them hacking attempts, losing their password, or losing their device. There are different methods for integrating Macs into an IT environment depending on whether or not there is a directory service in place and which directory service — if any — is being used.
Enforcing FDE Without a Directory
Without a directory, enforcing FDE on a fleet of Macs can be very time consuming and complicated. First, you must enable FileVault2, either manually or using a third party service. Only some third party tools offer single-step fleet encryption, and the implementation complexity of those varies. If done manually, you need to repeat the process on each device individually.
Then, you need to escrow keys in a cryptographically secure vault, again set up manually or by using a third party service. If using an external service, you have to make sure that it provides enough security to access the recovery keys. Few services offer adequate security to comfortably store your keys in, so to avoid future issues, it’s best to thoroughly research your options before making a decision.
Enforcing FDE Through Active Directory
Attempting to manage Macs through Microsoft® Active Directory® (AD) has never been easy, and enforcing FDE for Macs is generally the same. It begins with setting up a user in AD and then creating a mobile account for that user on the macOS X client. The macOS X client has a local directory that syncs with the user’s network home directory, thereby ensuring that each user has a Secure Token to enable FileVault2.
Once those are complete, you can turn on FileVault2 and select which users can unlock the encrypted disk upon startup. After that, you must enter the password for each user selected. Recovery keys will then be generated for those users, which you need to store somewhere secure (using a third party service or a custom-made vault as described above). A restart is then required that begins the disk encryption, which could take hours to complete.
Enforcing FDE Through JumpCloud Directory-as-a-Service
JumpCloud® Directory-as-a-Service® is a unified FDE tool ideal for those without a directory service or those looking for a tool to help them automatically enforce FDE. On the admin side, you just need to add FileVault2 to the policies for Mac, configure it to your liking using preconfigured options, then apply it to your system group. The only step users have to take is log in or log out. Once FileVault2 is enabled, users cannot disable it due to it being a policy setting by the IT team.
Secure Tokens are created for each user upon the JumpCloud agent installation. This valid user on the system is granted a recovery key which is then automatically securely escrowed. This ensures that the key to each user’s disk decryption is safely stored.