By Zach DeMeyer Posted June 24, 2019
Apple® recently announced macOS® 10.15, otherwise known as Catalina™. This new version of the Mac® operating system is due out in the fall of 2019. There were a number of announcements and previews to the OS, with considerable focus on the ability to manage macOS 10.15 systems across an organization. One area of interest are updates regarding macOS Catalina FileVault™ management.
What is FileVault?
FileVault was introduced in macOS 10.3 (called Panther) in 2003. Apple (and, to be fair, Microsoft®) realized that data on systems (especially laptops) was critical and could be easily compromised by either a stolen machine, hard drive removal, or by a hacker gaining access to the system. While encrypting the hard drive cannot prevent all losses of data, with their introduction of FileVault (and BitLocker from Microsoft in 2007), Apple believed that they could stem the tide of stolen data. Compliance regulations jumped on this and often added FDE to their requirements making it even more important for areas such as PCI, HIPAA, and others.
So, Apple and Microsoft each introduced their version of full disk encryption (FDE). Apple’s FileVault has continued to undergo various improvements and changes over the years. One recent change that has been quite challenging for IT admins to manage has been the introduction of Secure Token with macOS 10.13 (High Sierra).
The Secure Token
In order to implement FileVault on a macOS High Sierra system, that system’s user must have a Secure Token. But, only the system’s “original user”, often a local admin or other similar account, can grant Secure Tokens to subsequent users. This ‘chain of trust’ was Apple’s way of ensuring that Mac machines would stay secure with their rightful owners.
The challenge that this introduced was that remote identity providers, such as Microsoft Active Directory® and others, could not manage Secure Tokens properly, and thus could not create and modify users remotely. This dramatically broke the processes and approaches that Mac admins had taken to date in managing FileVault access.
Secure Token in Catalina
With macOS 10.15, Apple is improving how FileVault is managed remotely through new tooling for Secure Tokens. While the extent of these changes won’t be fully known until macOSCatalina is released, it does appear that MDM providers will be better able to remotely manage Secure Tokens for certain account types.
At this stage, it appears that MDM solutions will be able to remotely generate the initial Secure Token to start the chain of trust using a new feature called “bootstrap tokens”. The extent of their capabilities, however are unclear. As we approach the actual release of Catalina, we will continue to learn more of the specifics about Apple’s latest developments on improving the manageability of FileVault.
Managing FileVault with JumpCloud®
The engineering team here at JumpCloud has been actively working to manage user access on macOS systems for a number of years now. JumpCloud’s Directory-as-a-Service® platform has automated the management of Secure Tokens and, as a result, FileVault. Further, with a secure vault for escrowing individual recovery keys, the JumpCloud macOS FileVault management capabilities are comprehensive for Mac admins seeking to deploy FileVault across an enterprise.
FileVault management is just one of many JumpCloud Policies that admins can use to control their macOS fleets. Other Policies include screen saver lock, USB and Siri disabling, and more. With new capabilities introduced by Apple via the 10.15 release, JumpCloud will determine whether it can further enhance capabilities and increase ease of use with respect to macOS Catalina FileVault management.
Manage FileVault with JumpCloud
If you are interested in enabling and enforcing FileVault across your fleet of Mac systems, why not give JumpCloud a try? You can sign up for a JumpCloud account absolutely free, which includes ten users in the platform that your organization can leverage forever.