Installing and Using Native Encryption Management

Native Encryption Management replaces Full Disk Encryption.

How to manage user acquisitions of mobile accounts using Full Disk Encryption on macOS 10.13 or later: sk122674.

SmartEndpoint Settings for Native Encryption Management

Only these settings can be used to manage the Native Encryption Management feature on the client:

  • Recovery

    • Full Disk Encryption - Native Encryption Recovery Media.

    • Full Disk Encryption - Native Encryption Remote Help.

  • User Acquisition

    • Full Disk Encryption - Pre-boot enforcement will begin after the acquisition process has acquired X user(s).

  • Volume Encryption

    • Only protection of the system volume is supported.

  • Deployment

    • Download Mac Client - select the Full Disk Encryption feature.

Password Reset and Data Recovery

You can help users recover FileVault-encrypted data if they can't log in to their Mac.

You can help users recover their data or reset their password using a personal recovery key that is unique to the client computer. Resetting the password can be done remotely.

Password Reset Using a Personal Key

If a user forgets the login password, the administrator can send a personal recovery key to the remote user, to allow them to log in. The key is a string of letters and numbers separated by dashes.

How to update the Personal Recovery Key (PRK) for Native Encryption Management FileVault, see sk138352.

Mac Recovery Using a Personal Key

A personal key is unique to the client Mac computer or device. The key is a string of letters and numbers separated by dashes.

To recover a user's FileVault-encrypted Mac using the personal key, the administrator reads the key to the user, and uses the key to decrypt and unlock the computer.

To decrypt and recover the user's FileVault-encrypted Mac:

The user can now reboot the Mac normally.

They do not see the FileVault pre-boot screen.

Installing the Server Hotfix for Native Encryption Management

You must install a Hotfix on the Endpoint Security Management Server to make it possible to manage native FileVault encryption.

The R77.30.03 Hotfix and the R77.20 EP6.2 Hotfix are available for download on the E86.20 home page.

Notes:

  • Native Encryption Management can be installed as a clean install and an upgrade from the E80.71 Native Encryption Management Hotfix.

  • This Hotfix is fully integrated in R80.20 and higher.