FileVault Management: Disable or Enable on Apple Devices

For businesses that use macOS devices, FileVault is a critical component of security. And with the right mobile device management (MDM) platform, IT teams have the power to easily install and oversee FileVault encryption across all managed devices.

Addigy provides numerous options for macOS admins, including the ability to manage and turn FileVault on or off. The choice to enable or disable is ultimately up to you—but keeping device security in check should always be a top priority.

Discover how Addigy MDM gives IT admins ultimate control on any managed macOS device, with enhanced data and user protection through FileVault management.

What is FileVault Management?

FileVault is a disk encryption feature that’s unique to Apple devices that use macOS. With FileVault, users benefit from automated encryption of data on Mac startup disk drives. Once encrypted, data is unreadable without the use of a password or recovery key. Thus, FileVault prevents unauthorized users from retrieving information stored on a protected device. 

FileVault management is a comprehensive strategy for maintaining encrypted devices at an individual organizational level. For businesses that need to monitor privileged access and user credentials, FileVault verifies that only the appropriate users access data at a given time. This adds another critical layer of security to distributed, virtual, and remote enterprises.

Activating FileVault with Addigy’s MDM Platform

Activating or enabling FileVault across your managed Mac devices should be hassle-free. The more straightforward the process is, the more easily you can manage it regardless of how many devices are part of your IT infrastructure.

Addigy helps facilitate the FileVault activation process using a multiple mechanisms. However, the process is as straight forward as defining your user experience in a MDM Profile and assigning it to a policy where you enroll devices.

From your Addigy account, follow the steps below to enable FileVault.

• Navigate to the Catalog Page
• Click the MDM Profile Section
• Press New
• Select Security & Privacy
• Click the FileVault Tab
• Press Enable FileVault and define the interaction you want with the user (e.g.  prompt them to enable at log in, log out, how many times it can be deferred, etc.)
• Press Create Profile
• Click the options on the Profile and assign it to desired policies

Disabling FileVault Disk Encryption on a Mac  

Although FileVault provides an important layer of device security, there may come a time when you need to decrypt your FileVault devices. 

Addigy provides many ways to manage FileVault, including the ability to disable FileVault. In Addigy, FileVault can be disabled by following the steps below. 

• On the Devices page run this command `sudo ftdesetup disable` in the commands box (This can also be done using LiveTerminal, Smart Software, and many other options).
• Reboot the Device and the device will decrypt. 

This will only be possible if there is no MDM Profile enforcing FileVault on the device. If FileVault is managed with an MDM Profile, that profile must be removed prior to having the ability to disable FileVault.

FileVault Recovery Keys

FileVault Recovery Keys must be escrowed to the Addigy platform when enabled, so that the device can be unlocked. Alternatively, you can show the user the PRK (Personal Recovery Key) at time of enablement, should you choose to, so they can have the ability to decrypt or reset the password, if they forget theirs.

Also, once Addigy has the FileVault Recovery Key it can be rotated regularly from the Addigy console in GoLive > Security.

With Addigy’s FileVault management tools, you can easily escrow these recovery keys so that they are available for future use.

Should You Use FileVault Management?

As you consider FileVault management, the most important thing to remember is that enforcing FileVault can protect your machines from being compromised or threatened. Using FileVault is one way to manage cyber risks and reduce outside threats. When you use a qualified MDM solution like Addigy, you’ll have the freedom and flexibility to enable or turn off FileVault as you encounter unique circumstances.

FileVault management is one cog in the wheel of a comprehensive and streamlined macOS management and security process. As you guard and protect the devices on your network, explore all of the options available through your MDM provider.

Don’t allow company devices to get stolen, and leave them in a vulnerable state where a malicious actor can potentially steal sensitive company data. Ensure FileVault is enabled on devices so you can sleep easily at night.