How to Enable/Manage FileVault in Ivanti EPM 2018.1

Version 17

    Verified Product Versions

    Endpoint Manager 2018.x

    The purpose of this document is to provide an overview on the changes that were made to FileVault Management in 2018.1 and how to utilize them.

     

    This feature requires Service Update 1 for 2018.1 to be fully functional. Please contact support to receive this Update.

     

    What's New

    As detailed in How To: Manage FileVault Disk Encryption in Endpoint Manager, FileVault was enabled via Patch Manager in previous iterations of Ivanti EPM. This method also required the user to acquire a separate Security Suite license in order to utilize this functionality.

     

    2018.1 introduces the use of MacOS Configuration Profiles to enable and manage FileVault Encryption. This method no longer requires a Security Suite license.

    Editor.png

     

     

    How to Configure FileVault using MacOS Configuration Profiles

     

    In the Ivanti Management Console, go to Tools > Configuration > Agent Settings.

     

    In the Agent Settings tool, expand the All Agent Settings tree, then expand the Mac Profiles tree. Select MacOS Device Configuration.

     

    Select the Create new Settings button.

    Agent Settings.png

     

    This will open the MacOS Device Configuration Agent Settings. Provide a name for the Agent Settings instance.

     

    • If this is the first time configuring profiles, the Available Configurations section will be empty. Select the New button to create a new MacOS Profile.

     

    • If configuring a pre-existing MacOS Profile, select the available configuration and select Edit.

    Device Configuration.png

    FileVault configuration is not available through the "MacOS Configuration" agent settings, only "MacOS Device Configuration" as this is a device-wide configuration option - not a user configuration.

    Clicking New will open the Configuration Profile Editor in the General Tab. A name for the Profile will need to be provided first. Fill out other non-mandatory information as desired.

     

    On the left, select Security and Privacy and then select Configure.

     

    Select the FileVault tab within the Security and Privacy window.

    Security and Privacy.png

     

    Select the Checkbox next to Require FileVault. A few options become available:

     

    • Create a personal FileVault recovery key
      • A key is generated during the encryption process. This key is used to "recover" the Mac in the event of loss of password. The administrator is able to recover this password via Right-Click Menu in the console (provided the Mac is enrolled in MDM).
        • The key will also be made available in the Client Data Storage Tool.

     

     

    • Use an institutional recovery key and create a personal FileVault recovery key
      • Combination of first 2 options

     

    • Upload personal recovery key to EPM server. This will send the Personal Recovery key to the Core Server so the administrator can manage them. THIS IS RECOMMENDED.

     

    The key will not be "escrowed" to the Core until the Encryption Process is complete. For larger hard drives, this can mean hours/days before the key is shown on the core.

    There is currently a bug in 2018.1 Service Update 1 that prevents the Recovery Key from being sent to the core if the device isn't enrolled in MDM. This will be resolved in a future update for Sierra and El Capitan.

    Once finished, click OK to close the Configuration Profile Editor. The new Configuration Profile will now be shown in the Available Configurations section of the Agent Settings.

     

    Select the new Configuration Profile and then click Select to move the Profile over to the Selected Configurations window.

    Select.png

    Click Save.

     

    Deploying FileVault to Macs using Configuration Profile Agent Settings

     

    In the Ivanti Management Console, go to Tools > Configuration > Agent Settings.

     

    In the Agent Settings Tool, select the Create a Task button. Select Change Settings.

    Change Setttings.png

    The Change Settings Task window will open. Give the task a name and scroll down to the MacOS Device Configuration item in the Type List.

     

    Select the drop down next to it and select the Agent Setting saved earlier.

    Select Agent Settings.png

    Click Save.

     

    This will create a Scheduled Task. Drag desired Macs into the task, right click the task and select Start Now > All.

     

    What does the User See?

    Initially, no visible pop-ups or messages will be presented to the user. The Profile will apply silently (assuming the only change was FileVault).

     

    The newly applied Profile will now be listed on the Mac Device under System Preferences > Profiles as shown below:

    System Preferences.png

    Note how the Custom Message entered in the Profile Configuration Tool shows up in the Recovery Key Escrow section of the profile.

    NOTE: Ivanti is aware of managed profiles being "Unsigned." More information will be made available if changes are made regarding this.

    The next time the Mac is Logged Off/Shutdown the user will be presented with a prompt to enter their User Account Password in order to enable FileVault.

    FileVault Prompt.png

    The user may enter their password and select OK, which will begin the encryption process. They may also select Cancel which will skip the process and continue with the Logoff/Shutdown process. If no response is made within a minute or so, the prompt will timeout and continue as if Cancel was selected.

     

    If cancel was selected or the timeout was reached, the Mac will prompt to Enable FileVault at every Logoff/Shutdown until it is enabled.

     

    After entering the password and selecting OK, the FileVault process will begin. This process will only take a few moments before the device is rebooted. The user will also be presented with a FileVault Recovery Key. Its a good idea to make note of this key.

     

    Enabling FileVault.png

    After Continue is selected, the Mac will Reboot/Logoff as usual. From here, the FileVault process will continue in the background. Performance may be slowed, but the user can proceed as usually while the device is encrypted.

     

    To view progress of the Encryption process, browse to System Preferences > Security and Privacy > FileVault.

    FileVault Progress.png

     

    The Encryption Process will complete silently. Once the next Inventory Scan is run, the Mac will show as Encrypted in the Ivanti EPM Management Console.

    Inventory.png