By Nick Scheidies Posted February 8, 2019
With the risk of stolen devices and data and the subsequent impact of compromised confidential information, many IT organizations are mandating full disk encryption (FDE) on their systems. It’s easy enough to enable FDE on any Macbook® or iMac® thanks to FileVault®. But no IT admin wants to go around to all of the workstations in the office and enable FileVault manually. Instead, we’ll explain how to automate FDE enforcement with remote FileVault management.
Understanding FileVault & FDE
Let’s take a step back to define FDE. Full disk encryption encrypts a computer’s hard drive when it’s not in use. The data on the hard drive is therefore protected from unwarranted access. When the device is logged into by an admin or user with appropriate credentials, the hard drive is automatically decrypted. FDE is one of the best safeguards of critical data in the event of a laptop going missing.
FileVault is a FDE program that has been included with Mac® systems since 2003. The Windows® equivalent of FileVault is known as BitLocker.
Challenges with Enforcing FDE
The first challenge has historically been managing the implementation of FDE across their Windows and Mac systems. Up until recently, IT admins have lacked sufficient cross platform FDE management tools. This has made it difficult to simplify FDE management for heterogeneous organizations.
The more significant challenge is that every system needs to be recoverable in the case of a forgotten password. Once a hard drive has been encrypted, without the right password, it can’t be decrypted. Recovery keys exist for both FileVault and BitLocker to ensure that data wouldn’t be lost with a simple password mistake.
While recovery keys solve a major problem, they create another one: managing recovery keys can be painful across a large enterprise and if you don’t take sufficient security precautions, then it also introduces another vector for attacks.
That’s why the abilities to both turn FileVault on and to manage the recovery keys are the core parts of remote FileVault management. Unfortunately, doing that securely and then not only on macOS, but also on Windows is difficult to find. In order to truly achieve remote FileVault management, IT organizations need to overcome both of these challenges with FDE and do so in an automated manner.
Remote FileVault Management
Luckily, there is a modern approach to cloud identity management that has created full disk encryption management within its platform. Called JumpCloud® Directory-as-a-Service®, this cloud-forward approach to user and system management is enabling IT admins to step-up their security by remotely managing FileVault, including individual recovery keys. FDE management for Windows machines via BitLocker is also supported.
To learn more about how JumpCloud enables organizations to remotely manage FileVault and recovery keys, watch the video above. This webinar not only provides an overview of FDE, but also includes a demo of JumpCloud’s FileVault policy in action. For more information about JumpCloud, you can get a demo from one of our technical specialists or register for our weekly webinar to receive an overview of the platform. Of course, you can also get started for yourself by signing up for a free account.