Cannot Turn on Filevault Again Authentication High Sierra

Securing sensitive company data is ane of the summit priorities for whatever IT department. For businesses that run on Apple tree, FileVault is an essential tool for Mac security. By encrypting all of the data on a Mac computer's startup disk, FileVault makes company information unreadable to unauthorized users.

In this commodity, we'll review what FileVault is and how it can be used to secure Mac computers, so discuss how admins can deploy it, and how FileVault recovery keys should exist managed.

What Does FileVault Do?

First to the review: FileVault encrypts all data on Mac device startup disks, assuasive that information to exist accessed but later on proper login credentials have been entered. FileVault encrypts data in the background, then employees may not even know it's happening, and they tin can employ their devices while encryption is taking place.

FileVault has been a office of macOS since 2005 and the release of Mac OS X Panther (10.3). In those early days, its powers were limited. It could only encrypt a user's home binder, leaving the rest of the data stored on the device unprotected. Information technology was, withal, able to encrypt information on the fly, while users were nonetheless using the device.

This early form of FileVault besides let users create FileVault recovery keys to decrypt and access their home folder data—a rubber precaution to brand sure users wouldn't lose their data if they forgot their credentials. They could likewise utilise a master password, separate from their user password, to decrypt the computer.

In Mac Bone X Panthera leo (10.7), Apple released FileVault 2. Information technology was more robust in a number of ways. For instance, while the original FileVault (referred to as Legacy FileVault) could encrypt only a user's dwelling binder data, FileVault 2 encrypts the entire startup disk—still without interrupting users.

FileVault 2 besides was a footstep-up in force, using XTS-AES-128 encryption with a 256-bit key. And, nigh significantly for admins, FileVault 2 can be deployed and managed centrally by an Information technology department using MDM.

How to Enable FileVault

Enabling FileVault disk encryption is a smashing way for admins to prevent unauthorized access to company data on user devices. You can use an MDM solution such equally Kandji to deploy, monitor, and manage FileVault on all of your macOS devices.

Using Kandji as an example, you lot can add a FileVault library item to a Design; when enabled, that item volition employ your chosen FileVault settings to every device in that Blueprint. You tin configure it to be immediately enforced at the next login or let the user to defer. You can also specify whether the Mac should be forcibly restarted or remind the user to restart to initiate FileVault encryption.

You tin also specify how FileVault recovery keys will be managed. If a user forgets their login credentials and cannot access their computers, an admin tin employ a FileVault recovery key to restore the data. Otherwise, without that key, no one can log in, and files and settings on the computer will be inaccessible.

On an individual computer, when you enable FileVault 2, y'all're given two options for what to do if you forget a password: Unlock using an iCloud account and password or unlock using a FileVault recovery key. If you cull the FileVault recovery key option, you must keep a re-create of the key securely stored somewhere (non on the encrypted startup disk). In well-nigh enterprise settings, the FileVault recovery cardinal pick is best, and you can enable it using an MDM solution like Kandji.

In Kandji, you can opt to show the central to the user when information technology'south created or regenerated. Just if your visitor requires loftier levels of security, you lot probably don't want to, because doing then introduces an unnecessary security run a risk. By hiding the keys, you retain the ability to delete users or wipe their disks when necessary, without worrying about whether the FileVault key might be used past a malicious user to admission the data after those actions are taken.

Y'all can also choose to escrow the recovery key to Kandji for safekeeping (where information technology can exist viewed by admins) and to rotate the key on a regular schedule. If you exercise escrow the keys, y'all can always give them out to the user when needed, such as when resetting the user'due south password.

Kandji also has a built-in selection for regenerating recovery keys when they are unknown. So if you enroll a Mac that has already been encrypted, Kandji can rotate and escrow a new recovery key by automatically prompting the end-user to create a new i. See our back up article for more on that.

FileVault and Other Security Measures

FileVault can exist complemented past other security features, such as requiring users to log dorsum into their devices whenever a device wakes from sleep mode or leaves the screen saver. After a device is initially turned on, only FileVault-enabled users can log on; anyone else will have to wait until the disk has been decrypted by a FileVault-enabled user.

Apple'due south introduction of the T2 security chip and then Apple silicon complicated this motion-picture show because total-disk encryption is already activated on Mac computers with that hardware—even if FileVault isn't enabled on them.

But FileVault can nevertheless add an additional layer of security, by requiring users to enter their login credentials to decrypt the disk. So it'south recommended that you lot use FileVault two on Mac computers with the T2 chip or Apple silicon. The ane major exception: When the device is shared amongst multiple users, such as in a computer lab.

FileVault, Secure Token, and Bootstrap Token

The encryption motion-picture show was further complicated when Apple introduced the secure token account aspect in macOS Loftier Sierra. As of that release, if you want to enable FileVault on an encrypted Apple tree File System (APFS) volume, that business relationship outset has to be granted a secure token.

Once that'south done, the account tin create others, which are automatically granted a secure token. Just in that location are two pregnant exceptions: when an Active Directory account is used or when a local account is created using control-line tools. In those two cases, new accounts are not automatically granted a secure token, so FileVault 2 tin can non be enabled on them. Admins must have extra steps to enable such accounts for FileVault.

Another wrinkle came with macOS Catalina when Apple introduced the bootstrap token. Bootstrap tokens can help with granting a secure token to both Active Directory mobile accounts and optional administrator accounts created in device enrollment. When a bootstrap token is escrowed to Kandji, macOS can request that token when Active Directory mobile accounts sign in and generate a secure token for that user account.

In macOS 11 or later, a bootstrap token can also be used to qualify the installation of kernel extensions and software updates on managed Mac computers with Apple silicon. The bootstrap token is also used to authorize the Erase All Content and Settings command on macOS 12.0.1 or later on.

About Kandji

The Kandji team is constantly working on solutions to streamline your workflow and secure your devices. With powerful and time-saving features such as cipher-touch deployment, one-click compliance templates, and plenty more than, Kandji has everything you need to bring your Apple fleet into the modern workplace.

This commodity was substantially updated January 14, 2022.

penixweept2000.blogspot.com

Source: https://blog.kandji.io/guide-for-apple-it-managing-filevault

Share this post