Reference: macOS encryption management

Encryption management policies encrypt drives on endpoints using macOS FileVault. For more information, see Apple Documentation: Use FileVault to encrypt the startup disk on your Mac.

Database configuration is not required for Tanium Cloud.

Endpoint requirements

  • macOS 10.13.6 High Sierra or later

Configuration requirements

You must complete the following steps to configure your environment to use encryption management policies:

Database configuration is not required for Tanium Cloud. See Tanium Cloud documentation for requirement information.

Choose where to host the database

Before you create and enforce encryption management policies, you must create a database to store the recovery keys. That database can be hosted on the Tanium Module Server (TMS) or you can host it on your own server (Self hosted). Hosting the database on the TMS requires no additional configuration. If you host the database on your own server, refer to the next section for further information.

Create a self hosted database to store the recovery keys

Enforce provides fields to help you create a secure connection to a Postgres or Microsoft SQL Server database to store the recovery keys.

recovery key Database Requirements

  • CPU: 4 Cores
  • RAM: 8 GB
  • Hard Drive: 80 GB

Specify the information required to securely connect the database to the Tanium Module Server in the Overview > Settings > Endpoint Encryption tab in the Enforce workbench. For more information, see Configure Endpoint Encryption settings.

See User role requirements for roles that can view the recovery keys for users on the Endpoint Encryption page in the Enforce workbench. This page lists all endpoints that are encrypted through an Enforce encryption management policy. Select an endpoint and click Show Recovery Key to view the Recovery Key ID and Recovery Key for that endpoint.

Recovery keys are used to unlock the drive if a user forgets the PIN or password. The recovery key ID displays on the FileVault recovery page. The user can then retrieve the recovery key by providing the recovery key ID to the recovery portal, which you set up as part of the FileVault configuration.

Configure the database to allow only connections from the Tanium Module Server.

Install the End-User Notifications service and initialize endpoints

Encryption management policies use the End-User Notifications service to display notifications throughout the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the End-User Notifications service is listed as the enforcement failure reason.

Install and configure Direct Connect

Encryption management policies use Direct Connect to transfer encryption keys securely from the client to the recovery key database during the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium Direct Connect User Guide: Installing Direct Connect.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the Direct Connect service is listed as the enforcement failure reason.

Install and configure the recovery portal

The recovery portal is an optional self-service website that users can access if they forget their PIN or password. This website is typically Internet-facing in a DMZ so that users who forget their PIN or password can access it from another device.

Create and enforce the encryption management policy

Create the policy and enforce it on endpoints. For more information, see Create a FileVault policy.

Endpoint Workflow

After the policy is enforced and pushed out to endpoints, the encryption process takes place in several stages.

Prepare the drive for encryption

After the policy is enforced on an endpoint, a notification displays either at log out or during the next log in to instruct the user to enable FileVault encryption. The user may dismiss this message multiple times if your FileVault policy allows it.

Configure the text for this notification in the End User Notification section of the FileVault policy.

Encryption occurs

After the user enables FileVault, encryption begins.

User forgets the password

If a user with a FileVault encrypted system forgets the password to sign in, that user can sign in to the recovery portal using the SAML authentication that you configured in the Recovery Portal tab. You can provide the URL for the recovery portal to users or have them contact the helpdesk directly.

If a user with a FileVault encrypted system forgets the password to sign in, you must provide the recovery key for that system by finding it in the Endpoint Encryption > FileVault Recovery Keys page in the Enforce workbench.

In the recovery portal, the user enters the serial number printed on the bottom of their computer for their Recovery ID, selects the recovery key ID from the autocomplete results, and clicks Get Recovery Key. The user can use this recovery key to unlock the drive.

To enter the recovery key into the computer, the user clicks the ? in the password field when prompted for the password. Then the user clicks the arrow beside the text that reads "If you forgot your password, you can reset it using your recovery key." and enters the recovery key.

After the drive is unlocked, the user is prompted to create a new password the next time the user signs in.

If the FileVault policy uses an Institutional Recovery Key, users must start from the macOS Recovery OS (hold Command-R while booting) to enter the recovery key. For more information, see Apple Documentation: How to use institutional recovery keys with Intel-based Macs.

Remove FileVault encryption from an endpoint

Two steps are required to remove FileVault encryption from an endpoint:

  1. Remove the FileVault policy enforcement on the endpoint. For more information, see Remove a policy enforcement.
  2. Deploy an action to run the Enforce - Decrypt FileVault package on the endpoint. For more information, see Tanium Console User Guide: Deploying actions.

This multi-step design is intentional so that encryption is not removed from a drive if an administrator inadvertently removes enforcement of the policy from an endpoint.