In Workspace ONE UEM 1904 and macOS Intelligent Hub 19.04, FileVault 2 Encryption and Recovery Key management has been completely redesigned to provide a better user experience and to more reliably support macOS as it evolves.
Technical Overview of Functionality
A fundamental change has been made to how this profile works for FileVault enablement: For enablement of FileVault on non-encrypted machines, the profile now uses MDM deferred enablement to kick off the encryption process during Logout or Login. This mechanism has proved to be much more reliable in dealing with encryption nuances like Secure Token.
For Personal Recovery Key Escrow: On macOS 10.12 and lower, Recovery Key Escrow is done through a redirect URL endpoint (UEM Console endpoint URL is automatically seeded in the profile). When a Recovery Key is generated, while the FileVault profile is installed, macOS will automatically send the Recovery Key to the endpoint. Since this escrow request is similar to a UDP request, it’s possible for this communication to sometimes fail with no automatic built-in remediation by the OS.
- Intelligent Hub 19.04 can help address this on macOS 10.12 and higher by periodically checking with the UEM Console to see if the key has reached the endpoint. If it hasn’t within 24hours, then Hub 19.04 will again prompt the user for their password, use the password to rotate the key via fdesetup, and again wait for macOS to send the key to the UEM Console redirection endpoint. Hub 19.04 will repeat this process until it detects from UEM Console that the key has been escrowed.
- Please note that Intelligent Hub 19.04 is only supported on macOS 10.12 or higher.
On macOS 10.13 and higher, Recovery Key Escrow has been improved significantly by Apple to provide a more reliable mechanism and leverage existing native MDM commands. When a Recovery Key is generated while a FileVault profile is installed, an encrypted file containing the key will be generated at /var/db/FileVaultPRK.dat. This file is collected during every MDM SecurityInformation sample. This means that even if the Recovery Key is locally rotated (e.g. sudo fdesetup changerecovery -personal), the next Security sample will automatically pick up the change. Hub 19.04 watches the /var/db/FileVaultPRK.dat path to ensure this file exists. If the file does exist, Hub will do nothing because the MDM Security Information sample will take care of the escrow. If the file is determined to be missing, Hub 19.04 will prompt the user for their password and use the password to rotate the key via fdesetup. On the next UEM Console Security sample sync, the newly rotated key will be escrowed.
Important note regarding FileVaultPRK.dat file
Currently this file is automatically removed by macOS any time the FileVault profile is updated with a new version, reinstalled, or removed. Since Hub 19.04 will detect this file state change, it will again prompt the user for their password to rotate the key as long as a FileVault profile is still installed. This means, any updates made to the profile will always re-prompt users for their password to ensure the Recovery Key can continue to be escrowed via native MDM.
How to migrate to the new Disk Encryption profile
When your UEM Console server is upgraded to 1904, you will be able to migrate your existing FileVault Disk Encryption profile to the improved version with more flexibility over both native MDM behavior and also Hub 19.04 behavior.
To migrate to the new profile:
- Navigate to Devices > Profiles and Resources > Profiles and find the Disk Encryption profile.
- Click the pencil icon to edit the profile.
- Navigate to the Disk Encryption payload and click Add Version
- Carefully review the entire payload, as it contains many new options and areas for customization to the user-experience (see below for more information). Make changes to the default values to best fit your organization’s needs and policies.
- Once you are finished, click Save and Publish to deploy the updated profile out to devices.
Note: When the new profile is installed, users will receive a notification to either log out or to enter their password. Please see below for details on the end-user experience in each scenario.
Changes to End-User Experience
Case 1: Device is not encrypted and FileVault needs to be enabled
Hub 19.04 has been redesigned to deliver a much less intrusive experience for users, while providing enforcement capabilities for administrators to ensure encryption compliance is met within a reasonable timeframe.
When the new UEM Console 1904 Disk Encryption profile is installed, Hub 19.04 will display a notification to the user asking them to logout. The title and info text in this notification can be customized in the Disk Encryption profile.
When the user logs out, before the macOS Login Window appears, they will get a prompt from the OS for their password:
When they enter their password and click OK, the FileVault enablement process will begin:
(Optional) If you have selected in the profile for the user to be able to see the Recovery Key, they will see it once FileVault enablement is finished. This is not recommended.
When the FileVault enablement is finished, or when the user clicks Continue on the FileVault Recovery Key prompt, they will be able to log back in at the Login Window.
Case 2: Device is already FileVault encrypted but the Recovery Key is not escrowed to UEM
Hub 19.04 has been redesigned to provide a much less intrusive experience for users, while providing recovery key escrow capabilities when a device is already encrypted.
When the new UEM Console 1904 Disk Encryption profile is installed, Hub 19.04 will display a notification to the user asking them to enter their password. The title and info text in this notification can be customized in the Disk Encryption profile.
The user can choose to dismiss this notification. But in the profile, you can set how often this notification will reappear. If the user clicks Continue, they will receive the following prompt.
The user can also dismiss this prompt. But the notification will just reappear again on the next scheduled interval set in the profile. If the user enters their password incorrectly, the prompt will indicate an Incorrect Password error. If the password is entered correctly and the key rotation is successful, a success prompt will appear. The title and info text in this prompt can also be customized in the Disk Encryption profile.
The success prompt will also show the recovery key to the user if this is enabled in the Disk Encryption profile. This is not recommended.
Important Note regarding Recovery Key rotation
If any OS error occurs while Hub attempts to run sudo fdesetup changerecovery -personal, these errors will count against the Retries before error message number specified in the Disk Encryption profile.
Historical trends have shown us that some devices simply need IT touch to fix some encryption issues in order to properly escrow a FileVault key, especially recently in some macOS versions with Secure Token issues. The goal for Hub 19.04 is to give a best effort attempt to escrow the key, but not hinder the user’s overall experience and ability to continue working. When issues like this occur, after the max number of error attempts has been reached, an error prompt will appear, and Hub will cease to notify or prompt the user again for FileVault. The title and info text in this prompt can also be customized in the Disk Encryption profile. The expectation for this prompt is to instruct the user that they need to contact IT to assist them with the issue.
When this error prompt occurs. The next troubleshooting step would be to check the logs to determine why the recovery key couldn’t be rotated. IT administrators and help desk can check the /Library/Logs/IntelligentHub/HubEventLogs.log to see the error macOS returned when the rotate command was executed.
Once the root cause is identified and fixed, then Hub 19.04 can be activated to once again ensure the key escrow lifecycle is enforced. This is done with a simple command in Terminal by an administrator:
sudo hubcli reset-recoverykey
This command will trigger Hub to display the notification requesting the user enter their password to start the process again.
Other Languages: 日本語