How To: Manage FileVault Disk Encryption with LANDESK 2016

Version 14

    Verified Product Versions

    LANDESK Management Suite 2016.x

    Description

     

    This feature require licensing for LANDESK Security Suite 2016. The standard LANDESK Management Suite 2016 license does not include the ability to download the Mac Security Threats definitions mentioned below.

     

    A new feature in LANDESK Security Suite 2016 is the ability to detect if FileVault is enabled on the end machine and if it isn't LANDESK can enable it. Machines that have their FileVault enabled by LANDESK will have the recovery keys stored in an encrypted table in the LANDESK database, enabling the LANDESK Admin to retrieve the recovery keys as needed if a user forgets their password.

     

     

    Watch an overview video of the process here.

     

    How to Enable FileVault

     

    1. FileVault detection is handled by Security Content downloaded through the Patch and Compliance tool in the LANDESK Console.
      1. In Console, go to Tools - Security and Compliance - Patch and Compliance.
      2. Click the Download Updates icon in the toolbar.
        Screen Shot 2016-02-05 at 2.54.52 PM.png
      3. In the "Definition Types" Window, check the box next to Mac - Security - Apple Mac Security Threats
      4. Click Apply.
      5. Click Download Now.
    2. Check machines for vulnerability. If the vulnerability is detected on the machine, this means the device DOES NOT have FileVault enabled.
      1. Search downloaded definitions for "FileVaultActivation-10"
        FileVault Search.png
      2. To see what devices are affected (not using FileVault), right-click the definition and select Affected computers from the menu.
        Definition Right Click Menu - Affected.png
      3. To repair (enable FileVault) the vulnerable devices, right-click the definition and select Repair from the menu.
        Definition Right Click Menu - Scan.png
      4. This will open the Patch and Compliance repair task window. Make any desired changes and click Save
        Patch and Compliance Window.png
      5. This will create a Scheduled task. Add the affected device(s) to the task and start task.
        Start Task.png
      6. When the task completes, the user will get prompts on their side to complete FileVault setup.

     

    Enabling FileVault - User side prompts

     

    The user will see two prompts:

    1. To notify it was enabled and telling them to reboot. It does not force the reboot by default. To force a reboot, configure the reboot settings on the task to require a reboot.
    2. When logging in after the reboot, they will receive the second prompt. It will not mention another reboot will happen, but one takes place. This prompt comes from Apple, not LANDESK.

     

    How to retrieve File Vault Recovery Keys

     

    For devices that have had their FileVault enabled by LANDESK, the recovery key is stored in an encrypted table in the database but can be retrieved through the LANDESK Console by the LANDESK Admin. Keys are associated to the Apple Serial Number, LANDESK Device ID and the Device Name. Key ARE NOT associated to the Inventory Record. Deleting the device from Inventory WILL NOT remove the recovery key from the database.

     

    1. In the console, from the menu bar, select Tools -> Configuration -> Client Data Storage
      Client Data Storage.png
    2. Click on the "Devices" folder and find your device.
      Device List - Edit.png
    3. Right-click the device and click "Properties".
    4. Click the "Export Data Item to a File" button.
      Client Data Window - Edit.png
    5. Save the file to Desktop
    6. Open the saved file using Notepad or another text editor.
    7. Look for the "<key>RecoveryKey</key>    <string>######</string> entry". The characters between the <string> </string> tags are the recovery key to give to the end user.

     

    Accessing FileVault Recovery Key - User Side Prompts

    1. The user will need to have at least 3 failed login attempts. They will then see the Password Hint they set and a link beneath it to use the Recovery Key. Click the Recovery Key Link.
      Recovery Key Link.png
    2. Enter in Recovery Key.
    3. User will be prompted to set a new password.

    How to Turn Off FileVault After Enabling it with LANDESK 2016

     

       For any number of reasons it may occasionally be necessary to disable FileVault on a client machine. Although we do not fully automate the process of disabling FileVault, as we do with enabling it, there are a few steps that have to be followed. The primary requirement to be able to disable FileVault is that the client cannot be targeted with the repair task used to deploy FileVault. It has to be removed from the task. There are a few extra steps that are necessary as LANDESK will continue to enforce the FileVault deployment task on the machine as long as the machine is targeted in the task. This is done to prevent users from disabling FileVault on their own.

      If a user does try to disable FileVault on their own, and they are an Admin on their device they will be allowed to disable FileVault and upon reboot it will require them to re-enable FileVault before allowing them to login.

    1. In the Management Suite Console, go to Scheduled tasks. Locate the task used to deploy FileVault to the client.
    2. Remove the client from the task.
    3. On the client machine force a policy sync by opening the Workspaces app. This will ensure the client is aware it is no longer targeted in the FileVault deploy task.
    4. At this point you can follow Apple's instruction for turning off FileVault: Use FileVault to encrypt the startup disk on your Mac - Apple Support