Configure FileVault disk encryption for macOS using Intune

In this post I will show you how to configure the FileVault disk encryption for macOS using Intune. Once enabled, the macOS disk is encrypted which protects the data in case the device is lost or stolen. The recovery key information is stored in Intune portal if retrieval is required in case device goes in recovery phase.

What is FileVault disk encryption

Disk encryption specifically used for macOS devices is known as FileVault disk encryption. This is a hardware level encryption applied to the disk to protect the data. For macOS 10.13 or later, we can configure the FileVault and can manage the recovery keys for the devices.

FileVault is native to MacOS and it is the built-in encryption tool for Mac devices similar to BitLocker Drive encryption (which is used for windows devices). Intune gives the ability to encrypt the macOS devices along with saving the recovery key in Intune portal.

Who can manage the FileVault in Intune

Help Desk Operator and Endpoint security manager can retrieve the FileVault recovery key from Intune portal. If the requirement is to just Rotate the Filevault key, Help Desk Operator does have the permission for rotation.

Above mentioned roles are the built-in RBAC roles which can be utilized for providing the permissions to service desk / help desk.

Options available to configure FileVault in Intune

There are multiple options available in Intune to configure the FileVault. In other words, we can create FileVault policies using three methods mentioned below:

1. Device Configuration: Settings Catalog – This option provides the maximum number of options available for FileVault disk encryption. Navigate to Devices > macOS > Configuration profiles and create new policy using Settings catalog option.
2. Device Configuration: Templates – Create new Configuration profile via Endpoint protection template. This option provides the limited set of configuration which is just ok to set the FileVault disk encryption.
3. Endpoint security – Using Endpoint security > Disk encryption, we can create the policy. This is what we are going to show in this demo. The options available under this policy is pretty much similar to 2^nd option (device configuration- templates).

Configure FileVault disk encryption policy

• Launch Intune admin center and navigate to Endpoint security > Disk encryption and click on Create Policy.

• Select the Platform as macOS and Profile as FileVault.

• Specify the profile name as Demo macOS FileVault disk encryption and click Next.

• Under Configuration settings page, specify the options as:

• Enable FileVault: Select Yes to enable the configuration.
  • Recovery key type: Personal Recovery key is the only option which will be selected automatically.
  • Personal recovery key rotation: Select 6 months. You can select 1 to 12 months based upon the requirement on how frequently you wanted to get recovery key rotated.
  • Escrow location description of personal recovery key: Displays a short message to the user on how they can recover the personal recovery key.
  • Number of times allowed to bypass: Specify 2. You can specify any value between 1 to 10 to allow users to bypass the encryption prompt (enabling FileVault) for that specific number of times. Specifying the value to 0 will always prompt to bypass or encrypt. Specifying the value to -1 will disable this configuration (hence no bypass will be allowed).
  • Allow deferral until sign out: Only available option is Yes.
  • Disable prompt at sign out: Not configured.
  • Hide recovery key: Select Yes. The recovery key will not be visible on user’s screen while FileVault encryption is enabled, hence reduces the risk of getting compromised.

• Under Assignments page, target it to the group containing macOS device/devices.

Wait for the policy to reach on macOS device. Device encryption might take some time. Once encryption is done, you can verify the recovery key by navigating to Devices > macOS, select the specific device where policy was targeted and click on Recovery keys. Further click on Show Recovery Key.

You can manually rotate the recovery key by using one of the device action with the name Rotate FileVault recovery key which will regenerate the new recovery key.

Note : FileVault Recovery Key will only be visible if the device is marked as corporate device.

There are two options to change the device status from Personal to Corporate:

1. By navigating to Device’s Property page. Change Device ownership to Corporate.
2. Using Corporate device identifiers by navigating to Devices > Enrollment > Corporate device identifiers tab. Supported values to identify the device is IMEI and Serial Number.

Verify Encryption status

Navigate to Home > Devices > Monitor and click on Device encryption status. Search for your device, you will be able to see the encryption status of the device along with profile status summary.