How To: Manage FileVault Disk Encryption in Endpoint Manager

Version 15

    Verified Product Versions

    Endpoint Manager 2016.xEndpoint Manager 2017.x



    Introduced in LANDESK Management Suite 2016 you can manage FileVault disk encryption keys for your Mac devices. This feature, however, is not included in the standard license, it requires that you also have a subscription to our Mac and Windows Security Threats content in Patch Manager.


    Our Mac Security Threat content has the ability to detect if FileVault is enabled on the end machine and if it isn't Ivanti can enable it. Machines that have their FileVault enabled by Ivanti will have the recovery keys stored in an encrypted table in the EPM database, enabling the EPM Admin to retrieve the recovery keys as needed if a user forgets their password.



    Watch an overview video of the process here.


    How to Enable FileVault


    1. FileVault detection is handled by Security Content downloaded through the Patch and Compliance tool in the EPM Console.
      1. In Console, go to Tools - Security and Compliance - Patch and Compliance.
      2. Click the Download Updates icon in the toolbar.
        Screen Shot 2016-02-05 at 2.54.52 PM.png
      3. In the "Definition Types" Window, check the box next to Mac - Security - Apple Mac Security Threats
        Screen Shot 2017-11-29 at 11.38.14 AM.png
      4. Click Apply.
      5. Click Download Now.
    2. Check machines for vulnerability. If the vulnerability is detected on the machine, this means the device DOES NOT have FileVault enabled.
      1. Search downloaded definitions for "FileVaultActivation-20"
        Screen Shot 2017-11-29 at 11.40.04 AM.png
      2. To see what devices are affected (not using FileVault), right-click the definition and select Affected computers from the menu.
      3. To repair (enable FileVault) the vulnerable devices, right-click the definition and select Repair from the menu.
        Screen Shot 2017-11-29 at 11.45.55 AM.png
      4. This will open the Patch and Compliance repair task window. Make any desired changes and click Save
        Screen Shot 2017-11-29 at 11.47.20 AM.png
      5. This will create a Scheduled task. Add the affected device(s) to the task and start the task.
        Screen Shot 2017-11-29 at 11.49.03 AM.png
      6. When the task completes, the user will get prompts on their side to complete FileVault setup.


    Enabling FileVault - User side prompts


    The user will see two prompts:

    1. To notify it was enabled and telling them to reboot. It does not force the reboot by default. To force a reboot, configure the reboot settings on the task to require a reboot.
    2. When logging in after the reboot, they will receive the second prompt. It will not mention another reboot will happen, but one takes place. This prompt comes from Apple, not EPM.


    How to retrieve File Vault Recovery Keys


    For devices that have had their FileVault enabled by Ivanti EPM, the recovery key is stored in an encrypted table in the database but can be retrieved through the EPM Console by the EPM Admin. Keys are associated to the Apple Serial Number, EPM Device ID and the Device Name. Key ARE NOT associated to the Inventory Record. Deleting the device from Inventory WILL NOT remove the recovery key from the database.


    1. In the console, from the menu bar, select Tools -> Configuration -> Client Data Storage
      Client Data Storage.png
    2. Click on the "Devices" folder and find your device.
      Device List - Edit.png
    3. Right-click the device and click "Properties".
    4. Click the "Export Data Item to a File" button.
      Client Data Window - Edit.png
    5. Save the file to Desktop
    6. Open the saved file using Notepad or another text editor.
    7. Look for the "<key>RecoveryKey</key>    <string>######</string> entry". The characters between the <string> </string> tags are the recovery key to give to the end user.


    Accessing FileVault Recovery Key - User Side Prompts

    1. The user will need to have at least 3 failed login attempts. They will then see the Password Hint they set and a link beneath it to use the Recovery Key. Click the Recovery Key Link.
      Recovery Key Link.png
    2. Enter in Recovery Key.
    3. User will be prompted to set a new password.

    How to Turn Off FileVault After Enabling it with Endpoint Manager


       For any number of reasons it may occasionally be necessary to disable FileVault on a client machine. Although we do not fully automate the process of disabling FileVault, as we do with enabling it, there are a few steps that have to be followed. The primary requirement to be able to disable FileVault is that the client cannot be targeted with the repair task used to deploy FileVault. It has to be removed from the task. There are a few extra steps that are necessary as EPM will continue to enforce the FileVault deployment task on the machine as long as the machine is targeted in the task. This is done to prevent users from disabling FileVault on their own.

      If a user does try to disable FileVault on their own, and they are an Admin on their device they will be allowed to disable FileVault and upon reboot it will require them to re-enable FileVault before allowing them to login.

    1. In the Management Suite Console, go to Scheduled tasks. Locate the task used to deploy FileVault to the client.
    2. Remove the client from the task.
    3. On the client machine force a policy sync by opening the Workspaces app. This will ensure the client is aware it is no longer targeted in the FileVault deploy task.
    4. At this point you can follow Apple's instruction for turning off FileVault: Use FileVault to encrypt the startup disk on your Mac - Apple Support