Endpoint Management
Getting Started with FileVault 2 in macOS
Last modified 7/7/2020
About
To get started on encrypting your macOS devices with FileVault 2.
Getting Started
What is FileVault?
FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. This feature comes already built-in to macOS.
Learn more: https://support.apple.com/en-us/HT204837
What is a Secure Token?
A Secure Token is a user attribute that needs to be added to a user before that user can unlock the OS on boot. FileVault 2 relies on Secure Tokens to determine which users can unlock the encrypted partitions on FileVault devices.
The Secure Token is automatically given to the account that gets created during first time setup.
What does the user experience look like?
Once FileVault is enabled and the device is encrypted, there will be a new startup experience with a FileVault login screen, and will occur upon every restart. This login looks like the traditional macOS login screen and can easily be mistaken as such.
The available users that can be selected to login are based on the users that have a Secure Token on their account.
If a user doesn't have a Secure Token, it will not appear as a log in option after a normal reboot, and won't be able to unlock the drive to log in.
Once a user logins into FileVault, the default configuration will have that account automatically login and skip the macOS login screen. If you want it to go to the macOS login screen, you can modify it, by running the following command in Terminal.
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES
Prerequisites for FileVault
- Device is enrolled into Jamf Pro
- More Info: Enrolling Devices into Jamf Pro
- Devices have a User assigned to them in Jamf Pro
- More Info: Assigning a User to a Computer in Jamf Pro
- Users have a Secure Token on their device.
Enabling FileVault
Using a Jamf Pro Policy
Use the following guide here: Deploying a FileVault Policy using Jamf Pro