In today’s mobile work and education environments, a key feature of Apple devices is the built-in macOS encryption technology that protects organisational data and user privacy. The latest computers with the Apple M1 chip have additional encryption features.
While these layers of security help protect the devices in the hands of end users wherever they work or study, it also means that Mac administrators need encryption privileges to access data and manage user accounts.
MacOS FileVault, Apple’s native solution for full-disk encryption on the Mac, preserves your remote administrative access to data protected by user password encryption. But with multiple ways to enable and manage FileVault, it can be a challenge for Mac administrators to even know where to start.
To help you understand your organisation’s best practices, our webinar “How to Manage File Safe with Jamf” provides expert guidance on how to make the most of File Safe’s remote management potential.
The webinar provides an overview of Apple’s native technology, guidelines for choosing an enabled workflow, and advice on recovery key and password reset management.
Read on for some pointers on how to use File Safe and Jamf while maintaining the highest standards of security and providing the best user experience.
Why do I need to know about File Safe management?
If you’re responsible for managing your organisation’s Apple devices – whether it’s Jamf Pro, Jamf School or Jamf Now – you need to know and understand native Apple encryption technologies and how they fit into your desired outcome so that you can choose the appropriate enablement workflow and deployment method. different workflows and deployment methods for macOS computers can lead to different outcomes.
For a comprehensive overview, IT administrators should consult the Apple Platform Deployment Guide. For specific information about file safes, see the section under the heading Securing Your Device.
macOS Encryption Building Blocks
Technologies that are critical to understanding macOS encryption and file safe management include:
- SecureToken – An encryption key assigned during account creation, wrapped in the user’s password. Users are required to support file safes.
- Bootstrap tokens – When a SecureToken user is created or logged in, another additional token is hosted to the MDM. introduced in macOS 10.15.
- Volume Ownership – Specific to computers with Apple chips. Allows users to access the owner’s identity key stored in a secure compartment. Required for using software updates, managing legacy external extensions, and more.
Choose your deployment workflow
The Apple Platform Deployment Guide includes specific scenarios for reference so you can choose the right one for your organisation.
User-Specific Mac Setup
True zero-touch deployment is the most direct path to File Safe enablement.
Mac Configuration by Organisation
If your IT administrators set up a new computer, they’ll be the first to get a token rather than the everyday user. In this case, you need to consider how your deployment affects token status.
There are also several scenarios where a Jamf policy may cause an unexpected user to get the first token if it is run before the user is created.
A best practice is to evaluate the goals and results of your deployment workflow so that you can determine if you need to change or modify your enablement methods and understand who gets the token when managing file safes.
It’s easier to establish these practices on the front end of a deployment than to go back and fix them later.
Choosing a File Safe Enablement Method
You can choose from three main enablement methods for managing file safes. You can use multiple computers, but any given computer should be targeted with only one method.
- Configuration Profiles – Simple and straightforward for targeting.
- Jamf Pro Policies – Allows customisation of user experience and messaging.
- Jamf Connect Login – For new machines deployed only.
Enabling method can be a personal preference
Whether you use Configure Configuration Profiles or Setup Policies, the most important choice is to ensure that the method you choose to enable Configuration Profiles also allows you to manage access to encryption privileges.
Reporting in the File Safe
Knowing whether you have successfully enabled the File Safe, or knowing who to enable the device against, is critical for compliance and reporting as well as remediation purposes.
Viewing individual computer records can reveal a wealth of inventory data, including:
- Encryption status
- Recovery key validity
- View recovery keys (with specific levels of access)
- Disk encryption configuration (if enabled by policy)
In addition to the built-in inventory fields, IT administrators can use the fdesetup binaries on macOS to add custom properties and drill down into deployment workflows.
Recovery key management and more
For ongoing management of device security, it is important to consider how recovery key management is handled.
For example, a user locked out of their computer may need to reset their password.
A Personal Recovery Key (PRK) can help, but best practice is to rotate it after using it for security reasons. You can set policies in File Safe to rotate and issue new recovery keys.
As with most File Safe operations, the initial decisions you make in setup are the most important. Decide what you want to happen, enable workflows, and the automation in MDM can do this for you.
For more detailed information on how to set up and manage FileVault in your organisation, please contact us.