Installing and Using Native Encryption Management

Native Encryption Management replaces Full Disk Encryption.

How to manage user acquisitions of mobile accounts using Full Disk Encryption on macOS 10.13 or later: sk122674.

SmartEndpoint Settings for Native Encryption Management

Only these settings can be used to manage the Native Encryption Management blade on the client:

• Recovery

  • Full Disk Encryption - Native Encryption Recovery Media.

  • Full Disk Encryption - Native Encryption Remote Help.

• User Acquisition

  • Full Disk Encryption - Pre-boot enforcement will begin after the acquisition process has acquired X user(s).

• Volume Encryption

  • Only protection of the system volume is supported.

• Deployment

  • Download Mac Client - select the Full Disk Encryption blade.

Password Reset and Data Recovery

You can help users recover FileVault-encrypted data if they can't log in to their Mac.

You can help users recover their data or reset their password using a personal recovery key that is unique to the client computer. Resetting the password can be done remotely.

Password Reset Using a Personal Key

If a user forgets the login password, the administrator can send a personal recovery key to the remote user, to allow them to log in. The key is a string of letters and numbers separated by dashes.

Step 1: User locates the serial number of the locked device:

1. Find the serial number of the locked device. It is usually printed on the back of the device.

2. Give the serial number to the support representative.

Step 2: Administrator gives a recovery key to the user:

1. Get the serial number of the locked device from the user.

2. In SmartEndpoint, select Users and Computers.

3. In Global Actions, click Native Encryption Recovery Media.

4. In the Native Encryption Remote Help window, type the Serial Number.

5. Click Get Recovery Key.

6. Give the recovery key to the user.

Step 3: User resets their password:

1. Get the Recovery Key from the support representative.

2. Restart the Mac.

3. In the FileVault pre-boot screen, click the ? butto

   A message shows: If you forgot your password you can reset it using your Recovery Key.

4. Type the Recovery Key, and click ->.

   A progress bar shows.

5. For Local Users:

   1. In the Reset Password window, the user enters a new password, and optionally, a password hint.

   2. Click Reset Password.

How to update the Personal Recovery Key (PRK) for Native Encryption Management FileVault, see sk138352.

Mac Recovery Using a Personal Key

A personal key is unique to the client Mac computer or device. The key is a string of letters and numbers separated by dashes.

To recover a user's FileVault-encrypted Mac using the personal key, the administrator reads the key to the user, and uses the key to decrypt and unlock the computer.

To decrypt and recover the user's FileVault-encrypted Mac:

For a volume formatted as APFS on macOS Catalina (10.15) -

1. Show the disk volumes on the Mac. Run the command:
   
   diskutil apfs list

   The volume to recover is the OS Volume. It has a name similar to disk2s1.

2. Run this command:

   diskutil apfs unlockVolume <Diskname> -passphrase <personal recovery key>

   The volume is now unlocked.

3. Get the list of apfs cryptousers. Run:

   diskutil apfs listcryptousers <Diskname>
   
   For example:
   
   diskutil apfs listcryptousers disk2s1

   For a local user, select the UUID of the user that has Type: Local Open Directory User

4. Decrypt the volume. Run:

   diskutil apfs decryptVolume <diskname> -user <user UUID>

5. Enter the password of the local user.

6. To monitor progress of the decryption, run
   
   diskutil apfs list

   For a volume formatted as CoreStorage on macOS 10.12 or higher -

7. Run this command:

   diskutil cs unlockVolume <lvUUID> -passphrase <personal recovery key>

8. The user interface shows a prompt to allow access. Enter the keychain password.

   The volume is now unlocked.

9. Start the decryption. Run:

   diskutil cs decryptVolume <lvUUID>

10. When prompted, enter the password for the local user.

11. To monitor progress of the decryption, run:
    
    diskutil cs list

The user can now reboot the Mac normally. They do not see the FileVault pre-boot screen.

Installing the Server Hotfix for Native Encryption Management

You must install a Hotfix on the Endpoint Security Management Server to make it possible to manage native FileVault encryption.

The R77.30.03 Hotfix and the R77.20 EP6.2 Hotfix are available for download on the E84.30 home page.

Note -

• Native Encryption Management can be installed as a clean install and an upgrade from the E80.71 Native Encryption Management hotfix.

• This solution is fully integrated in R80.20 and higher.

To install the R77.30.03 Hotfix:

1. Take a snapshot of the server, to save a backup.

2. Copy uepm_HOTFIX_FLUORINE_NEM_010.tgz to the server.

3. Make a temporary directory:

   # mkdir /home/admin/temp

4. Extract the installation files to the temporary directory:

   # tar -zxvf uepm_HOTFIX_FLUORINE_NEM_010.tgz -C /home/admin/temp/

5. Go to the temporary directory and run the installation executable file:

   # cd /home/admin/temp

   # ./uepm_HOTFIX_FLUORINE_NEM_010

6. Reboot.

To install the R77.20 EP6.2 Hotfix:

1. Take a snapshot of the server, to save a backup.

2. Copy uepm_HOTFIX_R77_20_EP6_2_NEM_001.tgz to the server.

3. Make a temporary directory:

   # mkdir /home/admin/temp

4. Extract the installation files to the temporary directory:

   # tar -zxvf uepm_HOTFIX_R77_20_EP6_2_NEM_001.tgz -C /home/admin/temp/

5. Go to the temporary directory and run the installation executable file:

   # cd /home/admin/temp

   # ./uepm_HOTFIX_R77_20_EP6_2_NEM_001

6. Reboot.