Understanding Policies: BitLocker and FileVault 2

Written by Zach DeMeyer on January 20, 2020

Share This Article

By implementing Policies, JumpCloud® admins automate much of their system security management across their Windows®, Mac®, and Linux® fleets. Two specific Policies, BitLocker and FileVault 2, are key for enforcing full disk encryption (FDE) at scale across an organization’s Windows and Mac systems.

What are the BitLocker and FileVault 2 Policies?

The BitLocker (Windows) and FileVault 2 (Mac) Policies enable full disk encryption for their respective operating systems. More on full disk encryption in just a bit.

Both policies leverage native settings accessed via the JumpCloud system agent to enable FDE on a system. Once enabled, the BitLocker and FileVault 2 Policies also collect the associated recovery key (a necessary backup for FDE) and store it in escrow for safe keeping.

Why Use These Policies?

FDE is a practice that encrypts a system’s hard drive while at rest. That way, in the unfortunate event that a system is stolen or otherwise physically compromised, the data stored on its hard drive is rendered inaccessible to anyone who doesn’t have the unique recovery key or the user’s password. In this manner, FDE is one of the most powerful ways to defend a system’s data if the hard drive is compromised.

Unfortunately, there are many examples of physical theft of a laptop or other workstation that have led to a data breach, especially among healthcare organizations. As such, many compliance regulations require some sort of disk encryption for certification.

Many IT organizations, however, have found it difficult to enforce FDE across both Windows and Mac system fleets automatically at scale without leveraging several solutions to do so. Beyond that, very few FDE solutions on the market feature recovery key escrow, which is crucial to retrieving data on an encrypted drive should the end user forget their password or get locked out.

By leveraging the BitLocker and FileVault 2 Policies from JumpCloud, organizations can apply FDE en masse with just a couple clicks. JumpCloud also stores individual recovery keys so IT organizations can still unlock encrypted drives if a hard drive is removed or an end user forgets their password and can’t unlock their computer.

How to Use the FDE Policies

IT admins can enable all JumpCloud Policies directly from the Directory-as-a-Service Admin Portal by going to the Policies tab and applying them either to individual systems or Groups of systems. You can watch the video above for a more detailed tutorial.

Not a JumpCloud Customer?

Interested in fleetwide policy management for FDE and other security features at scale? Try JumpCloud Directory-as-a-Service®, the first cloud directory service, absolutely free. Just sign up for a JumpCloud account, which includes 10 complimentary users to get you started.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter