Endpoint Management

Getting Started with FileVault 2 in macOS

Last modified 7/7/2020

About

To get started on encrypting your macOS devices with FileVault 2. 

Getting Started

What is FileVault?

FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. This feature comes already built-in to macOS.

What is a Secure Token?

Secure Token is a user attribute that needs to be added to a user before that user can unlock the OS on boot. FileVault 2 relies on Secure Tokens to determine which users can unlock the encrypted partitions on FileVault devices.

The Secure Token is automatically given to the account that gets created during first time setup.

What does the user experience look like?

Once FileVault is enabled and the device is encrypted, there will be a new startup experience with a FileVault login screen, and will occur upon every restart. This login looks like the traditional macOS login screen and can easily be mistaken as such. 

The available users that can be selected to login are based on the users that have a Secure Token on their account.  

If a user doesn't have a Secure Token, it will not appear as a log in option after a normal reboot, and won't be able to unlock the drive to log in.

Once a user logins into FileVault, the default configuration will have that account automatically login and skip the macOS login screen. If you want it to go to the macOS login screen, you can modify it, by running the following command in Terminal. 

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES

Prerequisites for FileVault

Enabling FileVault

Using a Jamf Pro Policy

Use the following guide here: Deploying a FileVault Policy using Jamf Pro