Use Fleetsmith to encrypt Mac computers with FileVault

Fleetsmith uses asymmetric encryption to help ensure the privacy of FileVault recovery keys. Fleetsmith encrypts your device’s recovery keys using an encryption certificate you generate. Next, you use an RSA key generated in the same step to access a device’s recovery key.

The encryption certificate and private key are a matching pair. If a new encryption certificate is generated, only the private key generated with it will work. If there are other admins on your team who need access to the private key, try using a password manager to securely store that key in a shared place. If you generate a new encryption certificate and private key pair, the previous pair is no longer valid.

If you choose to create your own encryption certificate instead of using the command below, the file must be a PEM-encoded certificate with an RSA public key of at least 2048 bits.

1. Open the Terminal app, and paste the text below, then press Enter.

   CN=$(LC_ALL=C tr -dc A-Z0-9 </dev/urandom | head -c 8)openssl req -newkey rsa:2048 -nodes \-keyout ~/Documents/FleetsmithFileVaultKeyEncryptionPrivateKey_$CN.pem \-x509 -days 99999 \-subj "/CN=Fleetsmith FileVault Key Encryption Cert ($CN)" \-out ~/Documents/FleetsmithFileVaultKeyEncryptionCert_$CN.pem

   This code generates two files in your Documents folder:

   • An RSA private key: Which outputs to a file named FleetsmithFileVaultKeyEncryptionPrivateKey_[id].pem

   • A certificate: Which outputs to a file named FleetsmithFileVaultKeyEncryptionCert_[id].pem

   Important: Keep your RSA private key safe. If you lose this file, you won’t be able to decrypt any devices.

2. In the Fleetsmith Admin Console, upload the certificate that you created in step 1 named FleetsmithFileVaultKeyEncryptionCert.pem.

   Apple stores the recovery keys until the above process is complete.

To provide you with the most security, FileVault recovery keys are not visible in the Fleetsmith Admin Console after an encryption certificate is added. To view the recovery keys, you must do the following:

1. In the Fleetsmith Admin Console, navigate to the Device Details page for the desired device, then select Download Recovery Key.

   Unless you specify otherwise, the encrypted key is put in your Downloads folder by default.

2. Using the Terminal app, navigate to the folder containing your private key that pairs with your encryption certificate.

3. Modify the command below to specify your downloaded key and private key’s filenames, then run it.

   This command decrypts the FileVault key and creates a plaintext document that you can view the key in. Replace YourDownloadedKey and YourPrivateKey with your respective file names. Also, this command presupposes your downloaded key is in your Downloads folder. If it isn’t, enter the correct location.

   openssl smime -decrypt -inform der \-in ~/Downloads/YourDownloadedKey.dat \-inkey YourPrivateKey.pem \> FileVaultRecoveryKey.txt

You can reescrow a Recovery Key into Fleetsmith with the steps below. This must be done on the device, not through MDM.

1. Open the Terminal app on the device, then paste in the following code (all on one line):

   sudo /usr/bin/fdesetup changerecovery -personal -outputplist | sudo tee /opt/fleetsmith/data/fvrk.plist

2. When prompted, enter the local password to execute the command (the password won’t be visible).

3. When prompted again, enter the user name and then the password a second time. After approximately 10 minutes, the device has a new recovery key, which is escrowed in Fleetsmith.

When using the Review and Fix option for encryption on Mac computers, keep in mind that these changes won’t be immediate. Enabling FileVault across your fleet takes time. If you see the gray spinning icon for encryption, this means Mac computers are still in the process of encrypting.

In order for Mac computers to encrypt their storage:

• Your computers have to check in (be powered on and connected to the internet).

• After checking in, your users are given a 30-minute grace period so their computers don’t suddenly reboot.

• After the grace period, a restart should occur and the encryption process should begin. Encryption can take hours depending on the storage size of the Mac.

• After encryption is complete, the computer checks in to Fleetsmith with the updated encrypted states. The gray spinning icon turns to green to indicate that all Mac computers have completed encryption.