Reference: macOS encryption management

Encryption management policies encrypt drives on endpoints using macOS FileVault. For more see macOS FileVault.

Endpoint requirements

  • macOS 10.15 Catalina

  • macOS 10.14.6 Mojave

  • macOS 10.13.6 High Sierra
  • macOS 11.0 Big Sur

Configuration requirements

You must complete the following steps to configure your environment to use encryption management policies:

Choose where to host the database.

Install the End-User Notifications service and initialize endpoints

Install and configure Direct Connect.

Reference: Encryption management recovery portal.

Create a FileVault policy.

Choose where to host the database

Before you create and enforce encryption management policies, you must create a database to store the recovery keys. That database can be hosted on the Tanium Module Server (TMS) or you can host it on your own server (Self hosted). Hosting the database on the TMS requires no additional configuration. If you host the database on your own server, refer to the next section for further information.

Create a self hosted database to store the recovery keys

Enforce provides fields to help you create a secure connection to a Postgres or Microsoft SQL Server database to store the recovery keys.

recovery key Database Requirements

  • CPU: 4 Cores
  • RAM: 8 GB
  • Hard Drive: 80 GB

Specify the information required to securely connect the database to the Tanium Module Server in the Overview > Settings > Endpoint Encryption tab in Enforce. For information, refer to Configure Endpoint Encryption settings.

Refer to User role requirements for roles that can view the recovery keys for users on the Enforce > Endpoint Encryption page. This page lists all endpoints that are encrypted through an Enforce encryption management policy. Select an endpoint and click Show Recovery Key to view the Recovery Key ID and Recovery Key for that endpoint.

Recovery keys are used to unlock the drive if a user forgets the PIN or password. The recovery key ID displays on the FileVault recovery page. The user can then retrieve the recovery key by providing the recovery key ID to the recovery portal, which you set up as part of the FileVault configuration.

As a best practice, configure the database to allow only connections from the Tanium Module Server.

Install the End-User Notifications service and initialize endpoints

Encryption management policies use the End-User Notifications service to display notifications throughout the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the End-User Notifications service is listed as the enforcement failure reason.

Install and configure Direct Connect

Encryption management policies use Direct Connect to transfer encryption keys securely from the client to the recovery key database during the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium Direct Connect User Guide: Installing Direct Connect.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the Direct Connect service is listed as the enforcement failure reason.

Install and configure the recovery portal

The recovery portal is an optional self-service website that users can access if they forget their PIN or password. This website is typically Internet-facing in a DMZ so that users who forget their PIN or password can access it from another device.

Create and enforce the encryption management policy

Create the policy and enforce it on endpoints. For more information, see Create a FileVault policy.

Endpoint Workflow

After the policy is enforced and pushed out to endpoints, the encryption process takes place in several stages.

Prepare the drive for encryption

After the policy is enforced on an endpoint, a notification displays either at log out or during the next log in to instruct the user to enable FileVault encryption. The user may dismiss this message multiple times if your FileVault policy allows it.

Configure the text for this notification in the End User Notification section of the FileVault policy.

Encryption occurs

After the user enables FileVault, encryption begins.

User forgets the password

If a user with a FileVault encrypted system forgets the log in password, that user can log in to the recovery portal using the SAML authentication that you configured in the Recovery Portal tab. You can provide the URL for the recovery portal to users or have them contact the helpdesk directly.

In the recovery portal, the user enters the serial number printed on the bottom of their computer for their Recovery ID, selects the recovery key ID from the autocomplete results, and clicks Get Recovery Key. The user can use this recovery key to unlock the drive.

To enter the recovery key into their computer, the user clicks the ? in the password field when prompted for the password. Then the user clicks the arrow beside the text that reads "If you forgot your password, you can reset it using your recovery key." and enters the recovery key.

After the drive is unlocked, the user is prompted to create a new password at the next log in.

If the FileVault policy uses an Institutional Recovery Key, users must start from the macOS Recovery OS (hold Command-R while booting) to enter the recovery key. See macOS: Set a FileVault recovery key for computers in your institution for details.

Removing FileVault encryption from an endpoint

Two steps are required to remove FileVault encryption from an endpoint:

  1. Remove the FileVault policy enforcement on the endpoint. For more information, see Remove a policy enforcement.
  2. Deploy an action to run the Enforce - Decrypt FileVault package on the endpoint. For more information, see Tanium Console User Guide: Deploying actions.

This multistep design is intentional so that encryption is not removed from a drive if an administrator inadvertently removes enforcement of the policy from an endpoint.