Reference: macOS Encryption management

Encryption management policies encrypt drives on endpoints using macOS FileVault. For more see macOS FileVault.

Endpoint requirements

  • macOS 10.15 Catalina

  • macOS 10.14.6 Mojave

  • macOS 10.13.6 High Sierra

Configuration requirements

You must complete the following steps to configure your environment to use encryption management policies:

Detailed steps are provided in the subsequent sections.

Create a Postgres database to store the recovery keys

Before you create and enforce encryption management policies, you must create a Postgres database to store the recovery keys.

recovery key Postgres Database Requirements

  • CPU: 4 Cores
  • RAM: 8 GB
  • Hard Drive: 80 GB

Specify the Postgres connection string on the Endpoint Encryption tab in the Protect settings. For more information, see Configure endpoint encryption settings.

Any user with the Protect Administrator or Protect Recovery Key Viewer role can view the recovery keys for users on the Endpoint Recovery page. This page lists all endpoints that are encrypted through a Protect encryption management policy. Select an endpoint and click Show Recovery Key to view the Recovery Key ID and Recovery Key for that endpoint.

Recovery keys are used to unlock the drive if a user forgets their log in password. The recovery key ID displays on the FileVault recovery page. The user can then retrieve the recovery key by providing their log in password to the recovery portal.

As a best practice, configure the Postgres database to allow only connections from the Module Server.

Configure the endpoint encryption settings

Specify the connection details for the Postgres database on the Endpoint Encryption tab in the Protect settings. For more information, see Configure endpoint encryption settings.

Install the End-User Notifications service and initialize endpoints

Encryption management policies use the End-User Notifications service to display notifications throughout the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the End-User Notifications service is listed as the enforcement failure reason.

Install and configure Direct Connect

Encryption management policies use Direct Connect to transfer encryption keys securely from the client to the Postgres database during the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium Direct Connect User Guide: Installing Direct Connect.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the Direct Connect service is listed as the enforcement failure reason.

Install and configure the recovery portal

The recovery portal is an optional self-service website that users can access if they forget their password. This website is typically Internet-facing in a DMZ so that users who forget their password can access it from another device.

For detailed steps to set up the recovery portal, see Reference: Encryption management recovery portal.

Create and enforce the encryption management policy

Create the policy and enforce it on endpoints. For more information, see Create a FileVault policy.

Endpoint workflow

After the policy is enforced and pushed out to endpoints, the encryption process takes place in several stages.

Prepare the drive for encryption

After the policy is enforced on an endpoint, a notification displays either at log out or during the next log in to instruct the user to enable FileVault encryption. The user may dismiss this message multiple times if your FileVault policy allows it.

Configure the text for this notification in the End User Notification section of the FileVault policy.

Encryption occurs

Once the user enables FileVault, encryption begins.

User forgets the password

If a user with a FileVault encrypted system forgets the log in password, that user can log in to the recovery portal using the SAML authentication that you configured in the ecosystem.config.js file. You can provide the URL for the recovery portal to users or have them contact the helpdesk directly.

In the recovery portal, the user enters the serial number printed on the bottom of their computer for their Recovery ID, selects the recovery key ID from the autocomplete results, and clicks Get Recovery Key. The user can use this recovery key to unlock the drive.

To enter the recovery key into their computer, the user clicks the ? in the password field when prompted for the password. Then the user clicks the arrow beside the text that reads "If you forgot your password, you can reset it using your Recovery Key" and enters the recovery key.

After the drive is unlocked, the user is prompted to create a new password at the next log in.

If the FileVault policy uses an Institutional Recovery Key, users must start from the macOS Recovery OS (hold Command-R while booting) to enter the recovery key. See macOS: Set a FileVault recovery key for computers in your institution for details.

Removing FileVault encryption from an endpoint

Two steps are required to remove FileVault encryption from an endpoint:

  1. Remove the FileVault policy enforcement on the endpoint. For more information, see Remove a policy enforcement.
  2. Deploy an action to run the Protect - Decrypt FileVault package on the endpoint. For more information, see Tanium Console User Guide: Deploying actions.

This multistep design is intentional so that encryption is not removed from a drive if an administrator inadvertently removes enforcement of the policy from an endpoint.