Encrypt macOS devices with FileVault disk encryption with Intune - Microsoft Intune (2023)

Table of Contents
In this article Permissions to manage FileVault Create device configuration policy for FileVault Create endpoint security policy for FileVault Manage FileVault Assume management of FileVault on previously encrypted devices Retrieve a personal recovery key Rotate recovery keys Recover recovery keys Next steps FAQs Videos
  • Article
  • 12 minutes to read

Intune supports macOS FileVault disk encryption. FileVault is a whole-disk encryption program that is included with macOS. You can use Intune to configure FileVault on devices that run macOS 10.13 or later.

Use one of the following policy types to configure FileVault on your managed devices:

  • Endpoint security policy for macOS FileVault. The FileVault profile in Endpoint security is a focused group of settings that is dedicated to configuring FileVault.

    View the FileVault settings that are available in profiles for disk encryption policy.

  • Device configuration profile for endpoint protection for macOS FileVault. FileVault settings are one of the available settings categories for macOS endpoint protection. For more information about using a device configuration profile, see Create a device profile in Intune.

    View the FileVault settings that are available in endpoint protection profiles for device configuration policy.

To manage BitLocker for Windows 10/11, see Manage BitLocker policy.

Tip

Intune provides a built-in encryption report that presents details about the encryption status of devices, across all your managed devices.

After you create a policy to encrypt devices with FileVault, the policy is applied to devices in two stages. First, the device is prepared to enable Intune to retrieve and back up the recovery key. This action is referred to as escrow. After the key is escrowed, the disk encryption can start.

In addition to using Intune policy to encrypt a device with FileVault, you can deploy policy to a managed device to enable Intune to assume management of FileVault when the device was encrypted by the user. This scenario requires the device to receive FileVault policy from Intune, followed by the user uploading their personal recovery key to Intune.

User-approved device enrollment is required for FileVault to work on a device. The user must manually approve of the management profile from system preferences for enrollment to be considered user-approved.

Permissions to manage FileVault

To manage FileVault in Intune, your account must have the applicable Intune role-based access control (RBAC) permissions.

Following are the FileVault permissions, which are part of the Remote tasks category, and the built-in RBAC roles that grant the permission:

  • Get FileVault key:

    • Help Desk Operator
    • Endpoint security manager

  • Rotate FileVault key

    • Help Desk Operator

Create device configuration policy for FileVault

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Configuration profiles > Create profile.

  3. On the Create a profile page, set the following options, and then click Create:

    (Video) Enforce FileVault on macOS with Microsoft Intune

    • Platform: macOS
    • Profile type: Templates
    • Template name: Endpoint protection

    Encrypt macOS devices with FileVault disk encryption with Intune - Microsoft Intune (1)

  4. On the Basics page, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform.

    • Description: Enter a description for the policy. This setting is optional, but recommended.

  5. On the Configuration settings page, select FileVault to expand the available settings:

    Encrypt macOS devices with FileVault disk encryption with Intune - Microsoft Intune (2)

    See Also
    Registrierung von Windows-Geräten mit Microsoft IntuneVerwalten der Endpunktsicherheit in Microsoft IntuneGerätekompatibilitätsrichtlinien in Microsoft IntuneBekannte Probleme mit Microsoft Intune - Intune

  6. Configure the following settings:

    • For Enable FileVault, select Yes.

    • For Recovery key type, select Personal key.

    • For Escrow location description of personal recovery key, add a message to help guide users on how to retrieve the recovery key for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.

      For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to Devices and select the device that has FileVault enabled, and then select Get recovery key. The current recovery key is displayed.

    Configure the remaining FileVault settings to meet your business needs, and then select Next.

  7. On the Scope (Tags) page, choose Select scope tags to open the Select tags pane to assign scope tags to the profile.

    Select Next to continue.

  8. On the Assignments page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles.Select Next.

  9. On the Review + create page, when you're done, choose Create. The new profile is displayed in the list when you select the policy type for the profile you created.

Create endpoint security policy for FileVault

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Endpoint security > Disk encryption > Create Policy.

  3. On the Basics page, enter the following properties, and then choose Next.

    • Platform: macOS
    • Profile: FileVault

    Encrypt macOS devices with FileVault disk encryption with Intune - Microsoft Intune (3)

  4. On the Configuration settings page:

    1. Set Enable FileVault to Yes.
    2. For Recovery key type, only Personal Recovery Key is supported.
    3. Configure additional settings to meet your requirements.

    Consider adding a message to help guide users on how to retrieve the recovery key for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.

    (Video) Microsoft Endpoint Manager Intune Endpoint Protection Part V Disk Encryption

    For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to Devices and select the device that has FileVault enabled, and then select Get recovery key. The current recovery key is displayed.

  5. When your done configuring settings, select Next.

  6. On the Scope (Tags) page, choose Select scope tags to open the Select tags pane to assign scope tags to the profile.

    Select Next to continue.

  7. On the Assignments page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles.Select Next.

  8. On the Review + create page, when you're done, choose Create. The new profile is displayed in the list when you select the policy type for the profile you created.

Manage FileVault

To view information about devices that receive FileVault policy, see Monitor disk encryption.

When Intune first encrypts a macOS device with FileVault, a personal recovery key is created. Upon encryption, the device displays the personal key a single time to the device user.

For managed devices, Intune can escrow a copy of the personal recovery key. Escrow of keys enables Intune administrators to rotate keys to help protect devices, and users to recover a lost or rotated personal recovery key.

Intune escrows a recovery key when Intune policy encrypts a device, or after a user uploads their recovery key for device that they manually encrypted.

After Intune escrows the personal recovery key:

  • Admins can manage and rotate the FileVault recovery keys for any managed macOS device, by using the Intune encryption report.
  • Admins can view the personal recovery key for only managed macOS devices that are marked as corporate. They can’t view the recovery key for personal devices.
  • Users can view and retrieve their personal recovery key from a supported location. For example, from the Company Portal website, the user can choose to Get recovery key as a remote device action.

Assume management of FileVault on previously encrypted devices

Intune can’t manage FileVault disk encryption on a macOS device that was encrypted by a device user, unless you apply FileVault policy through Intune. There are two methods you can use that enable Intune to take-over management of FileVault in this scenario:

See Also
Schnellstart: Testen Sie Microsoft Intune kostenlosHinzufügen und Zuweisen von Win32-Apps zu Microsoft IntuneHinzufügen von PowerShell-Skripts zu Windows 10/11-Geräten in Microsoft IntuneIn entwicklung – Microsoft Intune

  • Upload a personal recovery key to Intune – Use this method when the user knows their personal recovery key.
  • The user generates a new recovery key on the device – Use this method if the personal recovery key isn’t known by the user.

Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, you can use an endpoint security disk encryption profile, or a device configuration endpoint protection profile to encrypt devices with FileVault.

Upload a personal recovery key

To enable Intune to manage FileVault on a previously encrypted device, the user who encrypted the device can use the Company Portal website to upload their personal recovery key for the device to Intune. Upload of the key enables Intune to assume management of the encryption.

Upon upload, Intune rotates the key to create a new personal recovery key. Intune stores the new key for future recovery needs and makes it available to the device user.

Prerequisites:

  • The encrypted device must have an Intune FileVault policy for disk encryption.

    Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption.

    Use either an endpoint security disk encryption profile, or a device configuration endpoint protection profile to encrypt devices with FileVault.

  • The user who encrypted the device must have access to their personal recovery key for the device and be directed to upload it to Intune.

    Intune doesn’t alert users that they must upload their personal recovery key to complete encryption. Instead, use your normal IT communication channels to alert users who have previously encrypted their macOS device with FileVault that they must upload their personal recovery key to Intune.

    Note

    Based on your compliance policy, devices might be blocked from accessing corporate resources until Intune successfully assumes management of FileVault encryption on the device

    (Video) Microsoft Partner Compliance Management API Integration for macOS | JNUC 2022

Upload a personal recovery key to Intune:

  1. After the device receives the FileVault profile, direct the user to use the Company Portal website.

  2. In the Company Portal website, the user locates their encrypted macOS device and selects the option Store recovery key.

  3. The user must enter their personal recovery key, and Intune then attempts to rotate the key to generate a new key.

    • If the key rotation is successful, Intune stores the new key for future use, and makes the key available to the user should the user need to recover their device.
    • If the key rotation fails, then either the device hasn’t processed the FileVault policy, or the key that is entered isn't accurate for the device.

  4. After successful rotation, a user can retrieve their new personal recovery key from a supported location.

For more information, see end-user content for upload of the personal recovery key.

Generate a new recovery key on the device

To enable Intune to manage FileVault on a previously encrypted device, the user who encrypted the device can use the Terminal app on the device to rotate their personal recovery key. If the device has an active FileVault policy from Intune when the key is rotated, Intune then assumes management of the encryption.

Prerequisites:

  • The encrypted device must have an Intune FileVault policy for disk encryption.

    Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption.

    Use either an endpoint security disk encryption profile, or a device configuration endpoint protection profile to encrypt devices with FileVault.

  • The device user must have access to the Terminal app on the encrypted device.

Use Terminal to generate a new personal recovery key:

  1. After the device receives the FileVault profile, the user who encrypted the device must sign-in to the device, open Terminal, and run the following two commands, in order:

    1. cd /Applications/Utilities

    2. sudo fdesetup changerecovery -personal

      See Also
      Was ist die Microsoft Intune App-Verwaltung?Windows-Konformitätseinstellungen in Microsoft IntuneVerwalten von Geräten mit Intune

      When this command runs, the user is prompted to provide their device password. After the password is provided, the device rotates the personal recovery key and presents the new personal recovery key to the user.

      After recording the new recovery key, complete the remaining prompts from the command.

  2. After the command prompts are completed, the personal recovery key on the device has been rotated. If the device successfully received the FileVault policy, Intune assumes management of the device’s encryption the next time the device checks-in with Intune.

    By default, the device checks in about every eight hours. To expedite device check-in, use one of the following options:

    (Video) Managing Apple devices with Microsoft Endpoint Manager

    • An Intune admin can sign-in to Microsoft Endpoint Manager admin center, go to Devices, select the device, and then select Sync. This notifies the device to immediately check in with Intune.
    • The device user can open the Company Portal app and go to Settings > Sync. This directs the device to immediately check for policy or profile updates.

  3. After Intune assumes management of the encryption, a user can retrieve their new personal recovery key from a supported location.

For additional information, see end-user content for upload of the personal recovery key.

Retrieve a personal recovery key

For a macOS device that has its FileVault encryption managed by Intune, end users can retrieve their personal recovery key (FileVault key) from the following locations, using any device:

  • Company Portal website (https://portal.manage.microsoft.com/)
  • iOS/iPadOS Company Portal app
  • Android Company Portal app
  • Intune app

Administrators can view personal recovery keys for encrypted macOS devices that are marked as a corporate device. They can’t view the recovery key for a personal device.

The device that has the personal recovery key must be enrolled with Intune and encrypted with FileVault through Intune. Using the iOS Company Portal app, Android Company Portal app, the Android Intune app, or the Company Portal website, the user can see the FileVault recovery key needed to access their Mac devices.

Device users can select Devices > the encrypted and enrolled macOS device > Get recovery key. The browser will show the Web Company Portal and display the recovery key.

Rotate recovery keys

Intune supports multiple options to rotate and recover personal recovery keys. One reason to rotate a key is if the current personal key is lost or thought to be at risk.

  • Automatic rotation: As an admin, you can configure the FileVault setting Personal recovery key rotation to automatically generate new recovery key's periodically. When a new key is generated for a device, the key isn't displayed to the user. Instead, the user must get the key either from an admin, or by using the company portal app.

  • Manual rotation: As an admin, you can view information for a device that you manage with Intune and that's encrypted with FileVault. You can then choose to manually rotate the recovery key for corporate devices. You can't rotate recovery keys for personal devices.

    To rotate a recovery key:

    1. Sign in to the Microsoft Endpoint Manager admin center.

    2. Select Devices > All devices.

    3. From the list of devices, select the device that is encrypted and for which you want to rotate its key. Then under Monitor, select Recovery keys.

    4. On the Recovery keys pane, select Rotate FileVault recovery key.

      The next time the device checks in with Intune, the personal key is rotated. When needed, the new key can be obtained by the user through the company portal.

Recover recovery keys

  • Administrator: Administrators can't view personal recovery keys for devices that are encrypted with FileVault.

  • End-user: End-users use the Company Portal website from any device to view the current personal recovery key for any of their managed devices. You can't view recovery keys from the Company Portal app.

    To view a recovery key:

    1. Sign in to the Intune Company Portal website from any device.

    2. In the portal, go to Devices and select the macOS device that is encrypted with FileVault.

    3. Select Get recovery key. The current recovery key is displayed.

Next steps

Manage BitLocker policy

(Video) Troubleshooting Bitlocker Encryption with Intune

Monitor disk encryption

FAQs

Should you use FileVault to encrypt the disk on your Mac? ›

If you store sensitive information on your Mac, you can use FileVault encryption to protect the files from being seen or copied. For example, if you carry all your company's financial data on your Mac laptop, losing it could allow someone to access sensitive data that might hurt your business.

Know More
Does Intune encrypt devices? ›

Intune provides a built-in encryption report that presents details about the encryption status of devices, across all your managed devices. After Intune encrypts a Windows device with BitLocker, you can view and manage BitLocker recovery keys when you view the encryption report.

Continue Reading
Can you manage Mac devices with Intune? ›

Use Microsoft Intune to enable or disable settings and features on macOS devices being used for work. To configure and enforce these settings, create a device configuration profile and then assign the profile to groups in your organization.

Discover More Details
Should I turn on FileVault disk encryption on my new Mac? ›

I am here to tell you, yes, it is absolutely necessary. An encrypted Mac without FileVault allows anyone who has physical access to your device to trivially read your personal data. They don't even need to know your password.

Discover More Details
Can Apple Macos FileVault prevent ransomware? ›

FileVault protects your data on your Mac by encrypting the whole disk. When you boot up your Mac, you put in a password that effectively "decrypts" the drive and allows it to run as-is. That said, once you've put the key in the lock, so to speak, FileVault wouldn't be protecting you from ransomware.

Show Me More
Does FileVault protect against hackers? ›

While the computer is turned on and a user has unlocked the FileVault disk by logging in it is not protected against malware, viruses etc. FileVault is intended purely to protect your data from being accessed if your computer is stolen, it has nothing to do with networking or malware.

Keep Reading
Does Intune encrypt iOS devices? ›

Intune enforces iOS/iPadOS device-level encryption to protect app data while the device is locked. In addition, applications may optionally encrypt app data using Intune APP SDK encryption. Intune APP SDK uses iOS/iPadOS cryptography methods to apply 256-bit AES encryption to app data.

Read On
What are the disadvantages of using Microsoft Intune? ›

  • Intune CONS :
  • * Narrow focus on mobile devices; not a full systems-management platform.
  • * Doesn't support server-side applications.
  • * Not intended for large applications.
  • * Doesn't have the feature-set to handle complex package deployments.

See More
How do I secure a device for Intune company portal? ›

Enter your PIN to confirm and encrypt your device. Open the Company Portal or Microsoft Intune app. Company Portal users: Select your device and tap Check device settings. Microsoft Intune users: You'll have to wait until the page updates, but when it does, your encryption status should change to compliant.

Tell Me More
What is the difference between MDM and MAM in Intune? ›

MDM controls apps by controlling the device. MAM controls apps with specific features, such as a vendor-supplied app catalog, which customers typically can modify. MAM and MDM both provide app wrapping and app containerization features.

Explore More

What is the difference between MDM and Intune? ›

MDM is device centric, so device features are configured based on who needs them. For example, you can configure a device to allow access to Wi-Fi, but only if the signed-in user is an organization account. In Intune, you create policies that configure features & settings and provide security & protection.

Get More Info Here
Can Intune manage macOS updates? ›

You can use Microsoft Intune to manage software updates for macOS devices that enrolled as supervised devices. This feature applies to: macOS 12 and later (supervised)

Discover More Details
Does FileVault disk encryption slow down Mac? ›

FileVault disk encryption doesn't slow your Mac's performance, even though it is always running in the background, so you have nothing to worry about. In fact, you probably won't even notice a difference in your device's performance after turning FileVault disk encryption on.

Get More Info Here
Does FileVault have backdoor? ›

Storing FileVault Recovery Keys

After FV2 is enabled, user's will be prompted to create and safely store a recovery key. This is a backdoor access that one can use to decrypt their data, should the user change their account password, if the account becomes compromised or if they simply forget their credential.

View More
How secure is Macos FileVault? ›

FileVault uses an encryption method known as “XTS-AES-128 encryption with a 256-bit key” to encode the information on a disk. That method is quite secure; a Wikipedia search showed that “Breaking a symmetric 256-bit key by brute force requires 2128times more computational power than a 128-bit key.

Get More Info Here
What happens if I disable FileVault on Mac? ›

When you turn off FileVault, encryption is turned off and the contents of your Mac are decrypted. The decrypting could take a while, depending on how much information you have stored. However, you can still use your Mac to do other tasks while the information is being decrypted.

Read More
Is macOS vulnerable to ransomware? ›

Ransomware attacks aren't just a threat to Windows operating systems -- they're encrypting files on macOS devices and demanding ransom payments for a decryption tool, too.

Show Me More
Do I need ransomware protection on my Mac? ›

The distinct absence of Apple computers in the long list of victims has many Mac users wondering if ransomware attacks are a cyber threat they need to worry about. Can ransomware affect Macs? Short answer: Yes. While rare, security researchers have noted examples of Mac-compatible ransomware variants.

Know More
Does FileVault encrypt the whole disk? ›

FileVault 2 is a whole-disk encryption program that encrypts data on a Mac to prevent unauthorized access from anyone that does not have the decryption key or user's account credentials.

Read More
Should you turn off FileVault on Mac? ›

If you care about your security and privacy it should be turned on. Most Mac users should use FileVault.

Learn More Now

Is Macintosh HD supposed to be encrypted? ›

Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip.

Find Out More

Videos

1. Enable Filevault Encryption on Your Mac
(MDTechVideos International )
2. macOS Compliancy Policy Intune
(T-Minus365)
3. How to Manage FileVault
(Jamf)
4. macOS Configuration Profiles Intune
(T-Minus365)
5. Manage and secure iOS and macOS devices and apps including Office 365 ProPlus, with Microsoft Intune
(Microsoft Tech Community)
6. How to encrypt an external drive or card in macOS
(How To Make Tech Work from TechRepublic)
Top Articles
Latest Posts
Article information

Author: Kelle Weber

Last Updated: 01/25/2023

Views: 6198

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Kelle Weber

Birthday: 2000-08-05

Address: 6796 Juan Square, Markfort, MN 58988

Phone: +8215934114615

Job: Hospitality Director

Hobby: tabletop games, Foreign language learning, Leather crafting, Horseback riding, Swimming, Knapping, Handball

Introduction: My name is Kelle Weber, I am a magnificent, enchanting, fair, joyous, light, determined, joyous person who loves writing and wants to share my knowledge and understanding with you.