Three ways to improve security on macOS devices with Workspace ONE UEM - part two
Apple’s website states that Mac hardware and software is designed “with advanced technologies that work together to run apps more securely, protect your data, and help keep you safe on the web.” They build security into their products starting at the very core of their hardware platform and extend that security into the heart of their operating system. As discussed in the first post for this blog series, Apple secures macOS devices with hardware features like the Secure Enclave and AES Engine, and software features like Xprotect and Gatekeeper. I also discussed how to secure the macOS device login process using Platform SSO.
According to a recent Ponemon Institute study, a staggering 68% of organizations have fallen victim to endpoint attacks that successfully compromised their data. Moreover, a whopping 28% of these attacks involved compromised or stolen devices. A seemingly innocuous incident, such as a laptop left unattended in a café or on a bus, could potentially lead to a multi-million-dollar data breach for an organization. In light of these alarming statistics, encryption on endpoint devices has become a critical component of many enterprise security policies. Fortunately, Apple has taken proactive steps to address this issue by including an encryption tool called FileVault within macOS.
In this, the second post in this three-part series, I’d like to discuss using FileVault to secure the data on your macOS devices.
FileVault
FileVault is a built-in volume encryption feature in macOS. It uses an AES-XTS encryption algorithm with a 256-bit key to lock the entire volume, not just the user data. By default, if your device has an Apple T2 security chip or Apple Silicon, your volumes are automatically encrypted. But you can turn on FileVault to add an extra layer of security by keeping someone from decrypting the data without entering your login password. It uses built-in hardware security components like the T2 chip and Apple Silicon Secure Enclave and AES engine. It can encrypt both internal volumes and removable storage. FileVault protects the data on the volume even if it’s removed from the device and attached to another.
Recovery keys
On macOS, users can turn FileVault on and off through System Settings. But businesses can use Workspace ONE UEM to control FileVault using device profiles. This way, they can set the company’s FileVault rules and stop users from turning it off. When FileVault is first enabled, the user sees a recovery key. This is important in case they forget their password. We all know that never happens, right? Without the password or the recovery key, the data on the volume stays encrypted. There’s no way to get it back. Of course, IT admins have to be concerned about how users keep the recovery key safe. Is it stuck on a sticky note on the screen? Or is it saved as a screenshot on the device? Luckily, if FileVault is configured through device profiles, Workspace ONE UEM can store recovery keys, making them available to administrators in the console.
Additionally, the end user can view the recovery key in Intelligent Hub. If, for example, the end user forgets their password and need to recover their volume, they can launch Intelligent Hub on another enrolled device, such as an iPhone or iPad to retrieve the recovery key for their macOS device. Under Support, the end user can select their macOS device, click on Encryption, and access their current recovery key.
The end user can also access the recovery key in the Workspace ONE Self-Service Portal.
Institutional FileVault recovery key
Workspace ONE also lets businesses set an institutional recovery key, which means the same key will be used across all macOS devices. Just a heads up, the institutional recovery key must be created and exported from a macOS device and uploaded into the Workspace ONE console before pushing a FileVault profile out to devices. The recovery key won’t change on any devices that already have FileVault configured.
Disk encryption profile
In Workspace ONE, the macOS Disk Encryption Profile lets you customize FileVault settings. You can choose whether to use an institutional key or a personal key for each device. You can also set the FileVault user, decide when the user is prompted to enter their password to enable FileVault, if the recovery key is displayed to the user, and other options. You can also use the Disk Encryption profile to “force enable” FileVault during the macOS Setup Assistant, ensuring that the device volume is encrypted during setup.
Summary
Data encryption is a must-have security measure. No serious security team would say it’s not important. If they do, they should probably be replaced. FileVault is a top-notch data protection tool that keeps your data safe from unauthorized access, secures all your data at rest on the disk, and even protects removable volumes. And the best part? It can quickly make any data inaccessible with a simple wipe of the cryptographic material. Plus, Workspace ONE makes FileVault super easy to manage. Administrators can be confident that data on their managed macOS devices is secure and recovery keys are securely stored and easily accessible in the Workspace ONE console when needed.
If you missed the first installment of this series, check it out on Tech Zone:
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Watch for the final part of this series coming in two weeks.