Installing and Using Native Encryption Management

Native Encryption Management replaces Full Disk Encryption.

How to manage user acquisitions of mobile accounts using Full Disk Encryption on macOS 10.13 or later: sk122674.

SmartEndpoint Settings for Native Encryption Management

Only these settings can be used to manage the Native Encryption Management feature on the client:

  • Recovery

    • Full Disk Encryption - Native Encryption Recovery Media.

    • Full Disk Encryption - Native Encryption Remote Help.

  • User Acquisition

    • Full Disk Encryption - Pre-boot enforcement will begin after the acquisition process has acquired X user(s).

  • Volume Encryption

    • Only protection of the system volume is supported.

  • Deployment

    • Download Mac Client - select the Full Disk Encryption feature.

Password Reset and Data Recovery

You can help users recover FileVault-encrypted data if they can't log in to their Mac.

You can help users recover their data or reset their password using a personal recovery key that is unique to the client computer. Resetting the password can be done remotely.

Password Reset Using a Personal Key

If a user forgets the login password, the administrator can send a personal recovery key to the remote user, to allow them to log in. The key is a string of letters and numbers separated by dashes.

  1. Find the serial number of the locked device. It is usually printed on the back of the device.

  2. Give the serial number to the support representative.

  1. Get the serial number of the locked device from the user.

  2. In SmartEndpoint, select Users and Computers.

  3. In Global Actions, click Native Encryption Recovery Media.

  4. In the Native Encryption Remote Help window, type the Serial Number.

  5. Click Get Recovery Key.

  6. Give the recovery key to the user.

  1. Get the Recovery Key from the support representative.

  2. Restart the Mac.

  3. In the FileVault pre-boot screen, click the ? button.

    A message shows: If you forgot your password you can reset it using your Recovery Key.

  4. Type the Recovery Key, and click ->.

    progress bar shows.

  5. For Local Users:

    1. In the Reset Password window, the user enters a new password, and optionally, a password hint.

    2. Click Reset Password.

How to update the Personal Recovery Key (PRK) for Native Encryption Management FileVault, see sk138352.

Mac Recovery Using a Personal Key

A personal key is unique to the client Mac computer or device. The key is a string of letters and numbers separated by dashes.

To recover a user's FileVault-encrypted Mac using the personal key, the administrator reads the key to the user, and uses the key to decrypt and unlock the computer.

To decrypt and recover the user's FileVault-encrypted Mac:

  1. Show the disk volumes on the Mac. Run the command:

    diskutil apfs list

    The volume to recover is the OS Volume. It has a name similar to disk2s1.

  2. Run this command:

    diskutil apfs unlockVolume <Diskname> -passphrase <Personal Recovery Key>

    The volume is now unlocked.

  3. Get the list of apfs cryptousers. Run:

    diskutil apfs listcryptousers <Diskname>

    For example:

    diskutil apfs listcryptousers disk2s1

    For a local user, select the UUID of the user that has:

    Type: Local Open Directory User

  4. Decrypt the volume. Run:

    diskutil apfs decryptVolume <Diskname> -user <User UUID>

  5. Enter the password of the local user.

  6. To monitor progress of the decryption, run:

    diskutil apfs list

  1. Run this command:

    diskutil cs unlockVolume <lvUUID> -passphrase <Personal Recovery Key>

  2. The user interface shows a prompt to allow access.

    Enter the keychain password.

    The volume is now unlocked.

  3. Start the decryption. Run:

    diskutil cs decryptVolume <lvUUID>

  4. When prompted, enter the password for the local user.

  5. To monitor progress of the decryption, run:

    diskutil cs list

The user can now reboot the Mac normally.

They do not see the FileVault pre-boot screen.

Installing the Server Hotfix for Native Encryption Management

You must install a Hotfix on the Endpoint Security Management Server to make it possible to manage native FileVault encryption.

The R77.30.03 Hotfix and the R77.20 EP6.2 Hotfix are available for download on the E86.20 home page.

Notes:

  • Native Encryption Management can be installed as a clean install and an upgrade from the E80.71 Native Encryption Management Hotfix.

  • This Hotfix is fully integrated in R80.20 and higher.

  1. Take a snapshot of the Endpoint Security Management Server, to save a backup.

  2. Transfer the Hotfix package to the Endpoint Security Management Server:

    • For the R77.30.03 Hotfix:

      uepm_HOTFIX_FLUORINE_NEM_010.tgz

    • For the R77.20 EP6.2 Hotfix:

      uepm_HOTFIX_R77_20_EP6_2_NEM_001.tgz

    Important - Make sure to use the binary mode.

  3. Connect to the command line on the Endpoint Security Management Server.

  4. Log in to the Expert mode.

  5. Create a temporary directory:

    mkdir /home/admin/temp

  6. Extract the Hotfix package files to the temporary directory:

    • For the R77.30.03 Hotfix:

      tar -zxvf uepm_HOTFIX_FLUORINE_NEM_010.tgz -C /home/admin/temp/

    • For the R77.20 EP6.2 Hotfix:

      tar -zxvf uepm_HOTFIX_R77_20_EP6_2_NEM_001.tgz -C /home/admin/temp/

  7. Go to the temporary directory and run the installation file:

    cd /home/admin/temp

  8. Run the Hotfix installation file:

    • For the R77.30.03 Hotfix:

      ./uepm_HOTFIX_FLUORINE_NEM_010

    • For the R77.20 EP6.2 Hotfix:

      ./uepm_HOTFIX_R77_20_EP6_2_NEM_001

  9. Reboot the Endpoint Security Management Server.