macOS FileVault with MaaS360
Co-author - @Shameem Akhtar
Introduction :
Users may keep sensitive content on their Mac which needs to be protected, need it be a personal Mac or corporate. Apple provides FileVault feature on Mac to secure the data with a key. On Apple silicon & Apple T2 Security Chip Mac, the data is encrypted by default and FileVault adds extra security by making sure there is no access without login password and providing a key to unlock disk in case user forgets the password.
macOS FileVault & MDM :
For enrolled devices, MDM can force users to Turn On FileVault & retrieve the Recovery Key. This key is securely presented to MDM administrators if the user forget their Mac login password or if the Mac disk volume is to be unlocked to read data.
MDM methods to enable FileVault -
- Personal recovery key (PRK) - when set admin is presented with 16 (or 24) character string as a key to unlock the encrypted disk,
- Institutional recovery key (IRK) - when set admin uses private key / cert to unlock the encrypted disk.
Note that there are always two users are at play here -
- IT Admin or say MaaS360 Admin,
- End user / Mac user.
How to use 'Personal recovery key' (PRK) -
- From MaaS360 Portal, navigate to Security > Policies > macOS MDM Policy > edit > Configuration > FileVault >
- enable 'Configure FileVault Settings'
- set 'Configure FileVault Settings type' to MDM
- enable 'Use Personal Recovery Key'
- set 'Max Bypass Attempts'
- Save, publish & assign this policy to Mac device.
- To enable FileVault, Mac user will now notice system prompt them to enter their Mac login password to set the recovery key. This prompt may show up when they restart the Mac or logout.
- They can skip but only for the set 'Max Bypass Attempts' number of times.
- If the bypass count is reached then system wont allow them to login to the Mac until they input password to enable FileVault.
- Once Mac user enables FileVault the Maas360 Admin can see two changes in the Device view of this Mac,
- Navigate to Devices > My User's MacBook > More > FileVault Recovery Key
- here, string marked as 'Personal key for the device - ' can be used to unlock disk if the user forgets their password.
- Navigate to Devices > My User's MacBook > Summary > under Security & Compliance section
- FileVault Enabled - says if the feature is enabled or not, via MDM or if the user explicitly enabled it before enrolling to MDM.
- Has Personal Recovery key - says if MaaS360 has retrieved recovery key successfully or not.
- If Policy with FileVault is assigned but 'FileVault Enabled' = Yes & 'Has Personal Recovery key' = No, then admin can use 'Escrow FileVault Recovery Key' option under More to generate & retrieve a new Personal Recovery Key.
- when 'Escrow FileVault Recovery Key' action is taken on the Mac the user is prompted to enter their Mac login password, after which a new key is generated & uploaded to MaaS360 portal.
- if there are several devices with no Recovery key, then create a Device Group with this set of devices & take 'Escrow FileVault Recovery Key' action under More option,
- use this condition for the filter - 'Data Encryption' - 'FileVault Recovery Key Present' Equal to 'No'.
How to use 'Institutional Recovery Key' (IRK) -
- From MaaS360 Portal, navigate to Security > Policies > macOS MDM Policy > edit > Configuration > FileVault >
- enable 'Configure FileVault Settings'
- set 'Configure FileVault Settings type' to MDM
- enable 'Use Institutional Recovery Key'
- upload 'Certificate used for encryption'
- follow steps in Apple's article to generate the certificate - https://support.apple.com/en-in/101315
- upload 'Keychain used for recovery'
- this is optional parameter. Generated in previous step, keychain that contains the private key from institutional recovery keychain. It will be stored on the portal for admins to download for later use. It will not be sent to the device.
- Save, publish & assign this policy to Mac device.
- Like explained in https://support.apple.com/en-in/HT202385, use the below command to unlock & mount the disk.
- Eg. assume a startup volume named Macintosh HD & recovery-key file name is InstitutionalKey_60036237_7701369 under /Users/ITAdmin/Downloads/
diskutil ap unlockVolume "Macintosh HD" -recoveryKeychain /Users/ITAdmin/Downloads/InstitutionalKey_60036237_7701369
- Or if you use the original keychain say, FileVaultMaster.keychain, then -
diskutil ap unlockVolume "Macintosh HD" -recoveryKeychain /Users/ITAdmin/Documents/Repo/FileVaultMaster.keychain
- For testing purpose, one can partition the Mac, install macOS on that volume, enroll the device with FV IRK, retrieve the key etc. Then boot back to previous volume, try to unlock the FV enabled volume with this key using above commands.
Note for an end user -
- When you enroll the Mac, & receive a policy with FV-IRK, you need to enter your Mac user password when you log out or restart the Mac to trigger the encryption process & key generation.
- When device is locked or in recovery, retrieve the key from admin & use the same to unlock the disk like explained above.
If your MaaS360 MDM policy has both PRK & IRK set to yes -
- Then admin has an option to view both the key string & keychain/cert to unlock the disk which is possible.
- If you have IRK ON & distribute the devices, then decide to turn on PRK, then existing devices won't report back PRK until you force escrow using action from device view. Newly enrolled devices will automatically upload both IRK & PRK, readily available for admins.
If you tried to renew or push a new IRK to devices -
- Say admin used Keychain-A to encrypt MacOne & MacTwo, then admin updates policy with Keychain-B, then assign it to MacOne, MacTwo, (also to newly enrolled) MacThree.
- Then note that admin can unlock MacThree's volumes with Keychain-B but MacOne & MacTwo will still need Keychain-A to decrypt/unlock volumes.
- So, renewal process on existing devices may need admin's intervention in case of Institutional recovery key.