Apple's FileVault 2 disk encryption can protect your Mac machines from being compromised. Encrypting the boot volume with FileVault prevents unauthorized users from copying data off the drive. With Addigy Mobile Device Management (MDM), you can enforce disk encryption more quickly and easily than ever before.
Before you can deploy an MDM Configuration to manage FileVault, you'll need to configure the Addigy MDM Profile for the policy where you'll be enforcing FileVault. You can find more instructions for enabling MDM here: Addigy Mobile Device Management (MDM) Integration.
Creating the FileVault MDM Configuration
First, you'll need to create a simple MDM Configuration. On the Policies page, head to the Catalog at the top of the page.
In the MDM Configuration tab, select Add Configuration +.
Choose a new Security & Privacy payload.
Name your payload something meaningful like "FileVault Enforcement", then select the FileVault tab.
Enable Require FileVault and make sure Escrow Personal Recovery Key is enabled as well. Click Create Configuration, and you're ready to start deploying your new MDM Configuration.
Deploying the FileVault MDM Configuration
Now that you've built the necessary MDM Configuration, select the policy where you would like to begin enforcing FileVault from the policy tree on the left-hand side of the Policies page.
In the MDM Configurations section of the policy, find your new payload and select Add Configuration.
Then, head to the Deploy Changes section of the policy and confirm the addition of this payload.
Now, your Macs will receive the FileVault payload and begin enforcing disk encryption. When each device next restarts, the OS will try to enable FileVault. A Personal Recovery Key (PRK) will be generated and uploaded to your Addigy account. If FileVault was already configured, no new actions will be taken.
You can find your PRKs in the GoLive window for each device:
- View the FileVault Encryption tab within GoLive.
- Please allow some time for the key to be shown.
Note: For Catalina devices, you must log out in order to see the prompt to "Enable FileVault". Rebooting the device or Shutting Down will not prompt as it did in previous versions of macOS.
You're all set! FileVault will be enforced across your policy including any new devices that enroll in this policy. If you experience any issues with this workflow, please reach out to the Addigy Support team by email email@example.com.