Starting with macOS 10.9, it is possible to encrypt the data on your hard drive, to prevent unauthorised access to your personal files. In Jamf School, you can force the devices in your institution to use FileVault 2.
- macOS 10.9 or higher
Enabling FileVault 2 in Jamf School
FileVault 2 can be enabled in the settings of a macOS profile.
For FileVault to work, the profile has to be installed through the device channel. For this reason, you need to push the profile through Jamf School to its associated devices. Downloading the profile for manual installation is disabled when a FileVault payload has been configured.
Note: If a user doesn’t get prompted to enable FileVault 2 upon restarting, it might be caused by a "deferred enablement" state within macOS. This is usually caused when FileVault was previously set up and disabled.
To disable "deferred enablement", uninstall any profile requiring FileVault to be enabled.
Then, with root privileges in a terminal run: “fdesetup disable”. You will be notified that filevault is already disabled, but the "deferred enablement" will be removed.
Afterwards, restart the device and push the profile requiring FileVault to be enabled again.
Recovery key type
With FileVault 2, two types of recovery keys can be used: personal and institutional.
A personal recovery key is automatically generated by the device. At the moment FileVault is enabled, the user sees a system dialog with an alphanumeric code of 24 characters.
The personal recovery key is displayed only once, so the user needs to write down the code, or store it in another way. For macOS 10.13 or higher, Jamf School can keep a personal key in escrow. For more information on recovery key escrow, please read Use FileVault 2 personal recovery key escrow.
You can also set an institutional recovery key, which is valid for multiple devices at once. This key has to be generated in advance. The institutional key is generated in the form of a keychain file and a certificate file.
You can set the institutional key by uploading the certificate in the certificates tab.
After the certificate has been uploaded, you can select uploaded certificate in the dropdown menu.
For more information on generating and using an institutional recovery key, please read the article Use FileVault 2 with an institutional key.
When pushing the profile to associated devices, FileVault is not enabled instantaneously, but the user must first logout before being prompted to enable FileVault. This is called deferred enablement. In Jamf School, you can set a few options to change the way FileVault is enabled. This is only valid for devices running macOS 10.10 or higher.
When selecting ‘Do not request enabling FileVault when user logs out’, the user will not be asked to enable FileVault when logging out. Instead, the user will be prompted the next time he logs in.
Usually, the user cannot bypass the FileVault prompt. FileVault must be enabled when he logs out. When ‘Allow user to bypass enabling FileVault’ is set, the user can cancel enabling FileVault. You can set a maximum number of times this can be done, before FileVault has to be set.
Personal recovery key escrow
For devices running macOS 10.13 or higher, we can keep the personal recovery key of a device in escrow. When a device has FileVault enabled and a personal key has been generated, the key can be retrieved as part of the device details page. For more information on recovery key escrow, please read Use FileVault 2 personal recovery key escrow.
When a device is in standby mode, the (encrypted) recovery key is stored in the EFI firmware. This way, the device can awake from standby mode more quickly. To maximize security, setting this option will make sure the recovery key is no longer stored in the firmware when the device goes into standby mode.
Please be advised that this option seems to interfere with the Power Nap setting, causing unexpected behaviour. In some cases, when this option and Power Nap are set and the device goes into standby mode, the device turns itself off completely after some time. Please note that this option is only necessary for users that require security against extremely aggressive attacks, as otherwise the recovery key is encrypted and stored in the EFI firmware.