FileVault Management

What is FileVault?

FileVault is the name for macOS disk encryption. The current version is FileVault2, which uses the AES-XTS mode of AES with 128-bit blocks and a 256-bit key to encrypt the disk. FileVault-enabled users can unlock the disk with their password at the pre-boot stage on a FileVault-enabled macOS device.

In the case of a forgotten password, the disk can be unlocked by a personal or institutional recovery key, depending on how FileVault has been set up. Personal recovery keys allow a device user to login and then change their password and are device specific. Institutional recovery keys allow a company administrator to unlock a device's disk with the master institutional recovery key and back up files. The institutional recovery key does not allow the user to log in again and once files are backed up, the system will need to be reinstalled.

Note: See Apple documentation on how to create and use an institutional key: https://support.apple.com/en-gb/HT202385.

Recovery Keys: Personal and Institutional

Through KACE Cloud MDM, you can choose whether to have a personal recovery key or institutional recovery key or both. You can choose whether to show the personal recovery key to the user during FileVault setup and if you would like to include the personal recovery key as part of KACE Cloud MDM's device inventory process.

A encryption certificate must be supplied if you wish to include the personal recovery key during inventory and the matching decryption certificate is required if you wish to view the decrypted key in KACE Cloud MDM. The encryption certificate is sent to the device but the decryption certificate is only stored in KACE Cloud MDM and a self signed certificate can be used.

Note: See Apple documentation on how to create a self-signed certificate: https://support.apple.com/en-gb/guide/keychain-access/kyca8916/mac.

Personal recovery key encryption and decryption will work with the default values.

Warning: If a user has forgotten their password and their personal recovery key and the personal recovery key is not reported to KACE Cloud MDM and there is no institutional recovery key then the device must be reinstalled. All data will be lost.

Configuration

New FileVault configurations can be created in the library, then applied to devices. FileVault configurations can also be applied to one or more devices using a policy. A device's FileVault configuration cannot be changed once it has been applied to the device, enabled, and the disk encrypted. Certificates will be required for FileVault configurations with an institutional recovery key or configurations that report and decrypt the personal recovery key to KACE Cloud MDM.

Note: If you have previously applied FileVault to any of your macOS devices, or if device users have enabled FileVault themselves, KACE Cloud MDM FileVault configurations can not be installed.

Certificates

Importing Certificates to KACE Cloud MDM

Importing certificates to be used as public key chains means exporting the public key chain created as described in the Apple documentation above. To import these certificates, they first must be exported into a compatible format using the Keychain Access tool.

Exporting Public Certificates from Keychain Access

Note: See instructions on how to export items from key chain: https://support.apple.com/en-gb/guide/keychain-access/kyca35961/mac

To export a public certificate—like the public FileVault recovery key or the certificate used for encryption—a .cer file export should be created. To do this, export the certificate from Keychain Access and select the File Format as Certificate (.cer), then upload the .cer file to the KACE Cloud Certificate Library.

Exporting Private Certificates From Keychain Access

Master key chain exports, or the export of a decryption certificate, should be in the .p12 or .pfx file format and should be protected with a password. To do this, export the certificate from Keychain Access and select the File Format as Personal Information Exchange (.p12).

You will then be asked to secure the export with a password, which will be required when uploading the private certificate exports to the KACE Cloud Certificate Library.


Library-level Actions

Add FileVault Certificates to Certificate Library

  1. Select the Libraries tab in top navigation.
  2. Click Certificates.
  3. Choose a certificate to upload.
  4. Click Add options.
    • If adding a public certificate add 'Public' to the description field.
    • If adding a private certificate like a FileVault master key export or a decryption certificate add 'Private' to the description field.
    • If adding a master key or decryption certificate, add the password field. This password must match the password entered when exporting the master key or decryption certificate.

  5. Click Add.

FileVault Configuration Options

KACE Cloud MDM has the following options available when creating a FileVault configuration.

  1. Name - A name must be entered and must be unique in the FileVault library.
  2. Institutional recovery key - Optional, but required if not using personal recovery key.
    • Add institutional recovery key certificate - an exported public certificate from a FileVault key chain must be chosen from the certificate library. This certificate is sent to the device.
  3. Personal recovery key - optional, but required if not using an institutional recovery key.
    • Show the personal recovery key to the device user - option to show the personal recovery key to the device user during FileVault setup (required if not reporting the personal recovery key during inventory).
    • Report the device's personal recovery key during inventory - option to allow the personal recovery key to be reported during KACE Cloud MDM inventory (required if not showing the device user the personal recovery key during inventory).
    • Escrow Description - a bit of text to indicate to the user that their recovery key is reported to KACE Cloud MDM
    • Add personal recovery key encryption certificate - the certificate used to encrypt the personal recovery key when it is reported to KACE Cloud MDM during inventory. This certificate is sent to the device.
    • Allow KACE Cloud MDM to decrypt personal recovery key - allow KACE Cloud MDM to decrypt the personal recovery key.
    • Add personal recovery key decryption certificate - the private certificate certificate if the encryption certificate added in step d above.
  4. FileVault - Unlock after hibernation (optional)
  5. FileVault - Set enablement bypass limit - Allows the device user to bypass FileVault a set number of times.

Create FileVault Configuration in Library

To create and save a FileVault configuration:

  1. Select the Libraries tab in top navigation.
  2. Click FileVault Settings.
  3. Click Add New.
  4. Name your new configuration.
  5. Click Save.

Edit FileVault Configuration in Library

Note: If devices are associated with the FileVault configuration, you will be prevented from changing it.

  1. Select the Libraries tab in top navigation.
  2. Click FileVault Settings.
  3. Select a configuration from the main list.
  4. In the right panel, click Edit. Note that if a configuration is linked to devices, it cannot be edited.
  5. Make edits to any available fields, then click Save.

Remove FileVault Configuration from Library

  1. Select the Libraries tab in top navigation.
  2. Click FileVault Settings.
  3. Select a configuration from the main list.
  4. In the right panel, click Remove.
    • This action will delete a FileVault configuration from the library, and from any policies to which it has been linked.
    • All linked devices with the FileVault configuration will have the profile removed.
    • If FileVault has been setup following the profile installation, removing the profile from the device will not automatically decrypt the device. This will have to be done manually.
  5. Click Confirm.

Change Institutional Key

Note: If unencrypted devices are associated with a FileVault configuration, you will be prevented from changing the institutional recovery key. Running an inventory will update the encryption status of a device.

  1. Select the Libraries tab in top navigation.
  2. Click FileVault Settings.
  3. Select a configuration from the main list with an institutional recovery key.
  4. In the right panel, click Rotate Institutional Recovery Key.
  5. Enter a FileVault user's password (required for APFS systems).
  6. Select the current institutional key private certificate.
  7. Select the new institutional key public certificate.
  8. Click Save.
    • This action will change the institutional recovery key for all associated devices.

View Institutional Key History

If a command to rotate a device's institutional recovery key has not succeeded or timed out attempting to connect to the device, the history of the institutional recovery key is available in the institutional recovery key section of the FileVault configuration. Using the device history view, the last successful key rotation can be determined and matched up to the device history allowing an unresponsive device to be unlocked. To view a previous institutional recovery key:

  1. Select the Libraries tab in top navigation.
  2. Click FileVault Settings.
  3. Select the chosen configuration from the main list.
  4. Go to the Institutional Recovery Key Details section.
  5. Match the last institutional key to the device history.
  6. Click the certificate name to view the recovery key details.

Device-level Actions

Set FileVault Configuration

To set a FileVault configuration for a macOS device:

  1. Select the Devices tab in top navigation.
  2. Select one or more devices.
  3. In the right panel, select FileVault.
  4. Choose an existing passcode rule, then click Set FileVault Configuration.

Note: If KACE Cloud MDM thinks one or more of the selected devices is encrypted, you will be prevented from setting a FileVault configuration. If this is incorrect, run an inventory on the devices and the encryption status will be updated. The current encryption status of a macOS device can be seen under the Security section of the Device's General panel.

Clear FileVault Configuration

The Clear FileVault Configuration command will remove the KACE Cloud FileVault configuration profile from the device.

  1. Select the Devices tab in top navigation.
  2. Select a device from the list.
  3. In the right panel, select FileVault.
  4. Choose Clear Configuration.
  5. Click Confirm.

Caution: Removing the profile will not automatically disable FileVault and decrypt the device. FileVault will need to be disabled manually before the device is decrypted.

View and Decrypt Personal Recovery Key

The personal recovery key can be used by device users to log into their device. If a user has forgotten their password, KACE Cloud MDM can display the device's personal recovery key granting them access.

Note: You can only view the personal recovery key if you have chosen to report the key during the inventory.

  1. Select the Devices tab in top navigation.
  2. Select a device from the list.
    • Device must have been instructed to report the recovery key during inventory.
  3. In the right panel, select General.
  4. Scroll down to Security.
  5. Next to Encrypted File Vault Personal Recovery Key, click View.
    • This will show the encrypted key as reported during inventory.
    • The Decrypt button will only be available if the associated FileVault configuration has the decryption certificate.
  6. Click Decrypt, if available.

Change Personal Recovery Key

If a user has had to use their personal recovery key to gain access to their device, the recovery key can be changed through KACE Cloud MDM.

Note: This process requires the password of a FileVault enabled user unless the device is using a CoreStorage volume in which case the password will be the old recovery key.

  1. Select the Devices tab in top navigation.
  2. Select a device from the list that has been instructed to report the recovery key during inventory.
  3. In the right panel, select General.
  4. Scroll down to the Security section.
  5. Next to Encrypted File Vault Personal Recovery Key, click Change.
  6. Enter the password or old recovery key, then click Change Personal Recovery Key.
    • If the command succeeds, the device will immediately respond with the new recovery key. This can be viewed and decrypted as mentioned above.

Lock or Reset a FileVault Enabled macOS Device

An encrypted macOS device can still be locked and wiped remotely provided a user has unlocked FileVault and the device is up and running. If the device is waiting to be unlocked, no MDM command will be able to reach it.

Device View

This shows the results of applying a FileVault configuration to a device.

First Login

The user will see a similar screen after logging in for the first time once a FileVault configuration has been applied to the device.

If the configuration allows the user to bypass FileVault enablement, the user can click cancel and continue logging in. If the configuration does not allow the device user to bypass, clicking cancel will send them back to the login screen.

Showing The Personal Recovery Key

If the configuration is set up to show the device user their personal recovery key, they will see a similar screen.

Once the user logs in, they can see the encryption progress via the FileVault section on the Security and Privacy system preference panel.

Verifying 'Require Unlock After Hibernation'

Verifying the success of the 'Require Unlock After Hibernation' setting can be difficult. The setting is not displayed in Profiles like most other MDM configurations. However, there is a command to view the status of this field.

Run the following command in terminal: pmset -g, which will print an output similar to the following screen:

Notice that 'DestroyFVKeyOnStandy' is set to 1. This means 'Require Unlock After Hibernation' has been enabled for this device. The default is 0. If the device in the screenshot was in hibernation, a FileVault password would be required when the device is woken up.

Booting to Device Recovery Mode

Booting to a device’s recovery partition is slightly different when FileVault is enabled in macOS 10.15. You are first asked for a FileVault user’s password.

If no passwords are known, but a personal recovery key has been set up, then that key can be entered to unlock recovery mode.

If no personal recovery key exists, you will have to know a FileVault user's password to continue.

Upon entering a correct personal key, you can change the password for any user.

The change password screen.

If no personal recovery key or passwords are known, the disk can be erased. To erase the disk: Click Recovery Assistant, then Erase Mac.

Note: You will not need the recovery key or a users password if you boot to an alternative source like a USB drive. However, this will require the firmware password if one is set for the device.


Known Issues

There following are known issues with using FileVault and MDM:

  1. Changing the recovery keys through KACE Cloud MDMrequires the password of FileVault user.
    • There is no work around for APFS systems which has been mandatory since macOS 10.14.
    • The institutional recovery key can be changed using master key chain for HFS systems which is only supported on macOS 10.3.
  2. The device user can enable FileVault before initial log out even if a FileVault profile has been installed.
    • The work around is to prevent FileVault access through a restriction profile.
  3. The device user can change their personal recovery key through terminal if they have admin permissions. This means the personal recovery key stored in KACE Cloud MDM could be out of date.
    • If institutional recovery keys are used alongside personal recovery keys then no data is lost.
    • Another workaround is to prevent users from having administrator permissions.
  4. If a DEP admin account has been created during setup and is added to FileVault, changing the DEP admin account password through MDM does not update the FileVault record. So the old password unlocks the disk but the new one is required to log in.
    • Workaround is to enable Remote Desktop and change the DEP admin account password manually.
  5. Removing the FileVault profile does not disable FileVault.
    • FileVault has to be disabled manually.
  6. A FileVault configuration profile cannot be installed on a device with FileVault enabled.