A few weeks ago Microsoft finally announced support for macOS FileVault disk encryption management in Microsoft Intune. This is a highly requested macOS management feature and expands the macOS management settings in Intune.
In this blog I will have a look at the settings which we can configure as admin, how the end-user experience is and where we, as IT admins, can find the recovery information in de Device Management Portal.
Create endpoint protection policy
The FileVault settings are available in the macOS Endpoint protection policy. The steps below show where and how to create such a policy and what settings we can set.
- Sign-in to the Device Management Portal
- Click Device Configuration
- Click Profiles
- Click Create Profile
- Give the configuration a Name
- Give the configuration a Description (Optional)
- Choose macOS as Platform
- Choose Endpoint protection as Profile type
- Click the Settings tab and click the FileVault tab
- On the FileVault tab, click Enable behind FileVault
- Personal Key is the only option as Recovery key type
- Fill in a text in the text box under Location of personal recovery key
- Make your choice for Personal recovery key rotation (Optional)
- Set Disable prompt at sign out to Enable (Optional)
- Pick a number at Number of times to bypass (required when Disable prompt is set to Enable)
- Click OK twice and click Create
When the configuration policy is created, don`t forget to assign the policy to a security group!
End-user experience
When the Endpoint protection policy is applied (with the settings like in my example above) to the macOS device and the end-user logs on (again) to the device a pop-up is shown. Click Enable now to start the encryption.
If Disable prompt at sign out is not set to Enable, the user is forced to turn on FileVault at first sign out.
The encryption process starts immediately. You can wait for it to complete or click OK to close the window and move on to the desktop.
The current encryption status can be found in Settings, in the Security & Privacy part on the FileVaulttab. As you can see in the screen below, right after logging on, FileVault is turned on and busy with the encryption.
The user is able to retrieve the recovery key by logging on to the Intune Web Company portal from an webbrowser on any (other) device. On the devices tab click the macOS device and click Get recovery key to retrieve the key.
Admin experience
As an Intune admin you also have the possibility to retrieve the recovery key. The key can be found by looking up the device in the Device Management Portal under Devices, All devices.
On the Recovery keys tab you can click Show recovery Key to see the key. This option is only available for Corporate macOS devices. If the device has an Personal ownership, you don`t see the button to see the key. You could still retrieve the key, by switching ownership from Personal to Corporate on the Properties tab of the device. Keep in mind, the user receives an message in the Company Portal app when Ownership is changed.
When you clicked on Show Recovery Key, the FileVault Recovery Key is shown.
Here you also have the option to manually rotate the key by clicking Rotate FileVault recovery key.
The key rotation option is also available on the devices Overview tab. Click on More and you find the Rotate FileVault recovery key option.
For Windows 10 devices the Intune admin already could find some information related to encryption on the Encryption report tab under Device configuration. This is now expanded with encryption information of the macOS devices. You can see if the device is ready for encryption and the encryption status.
Keep in mind that it can take up to 24 hours for Intune to report on a device’s encryption status or a change to that status as described here.
If you click on the macOS device, you could see some more information, like the applied configuration profile which contains the FileVault settings and if that profile is applied successful.