February 10, 2024

Security Without Sweat: Force Enable FileVault During macOS Setup Assistant

Security Without Sweat: Force Enable FileVault During macOS Setup Assistant

You can now enforce FileVault during Setup Assistant with macOS 14. You have the option as an Intune admin to either escrow the FileVault recovery key to your Entra ID or to display it during Setup Assistant.

In this article, I'll walk you through the steps of enabling FileVault during the macOS Setup Assistant and discuss how you can streamline this process using Intune, a mobile device management solution. By taking this proactive security measure, you can ensure the safety of your sensitive information and maintain peace of mind.


What is FileVault and why is it important?

FileVault is a disk encryption feature built into macOS that helps protect your data by encrypting your entire hard drive. It ensures that your files, documents, and sensitive information can only be accessed by someone with the correct password.

FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices. FileVault on a Mac with Apple silicon is implemented using Data Protection Class C with a volume key. On Mac computers with Apple silicon and Mac computers with the Apple T2 Security Chip, encrypted internal storage devices directly connected to the Secure Enclave leverage its hardware security capabilities as well as that of the AES engine. After a user turns on FileVault on a Mac, their credentials are required during the boot process.

So, why is FileVault important? The answer is simple: data security. In this digital age, we store a vast amount of personal and confidential information on our computers, including financial details, passwords, and sensitive work documents. Without proper encryption, this data is at risk of being accessed or stolen by hackers, thieves, or even unauthorized individuals.

By enabling FileVault during the macOS Setup Assistant, you are taking a proactive step to safeguard your data effortlessly right from the start. The process is straightforward and requires no technical expertise, making it accessible to users of all levels.


The Challenge

Ensuring the highest level of data security is paramount for any enterprise allowing Macs within its technological ecosystem. The integration of Macs into an MDM solution necessitates a proactive approach to safeguard sensitive information. Foremost in this security strategy is the activation of FileVault, Apple's powerful disk encryption program, on all Mac devices as they are enrolled.

It's critical to understand, that, Microsoft Intune cannot currently activate FileVault during initial device setup using Settings Catalog and you can expect to be released soon.

In development - Microsoft Intune
This article describes Microsoft Intune features that are in development.

This procedural gap poses a significant risk; it leaves a window of vulnerability where sensitive data could be exposed to unauthorized access. In an ideal scenario, the activation of FileVault would be an integral step of the enrollment process, ensuring that from the moment a Mac is registered, its data is encrypted and protected.


The Solution: ForceEnableInSetupAssistant

Using the ForceEnableInSetupAssistant key in a configuration profile, you can enforce to turn on FileVault during Setup Assistant. This ensures that the internal storage in managed Mac computers is always encrypted before being used. Depending on your MDM policies, you can decide whether to show the FileVault recovery key to the user or to escrow the personal recovery key.

💡
For this feature to work, the user account that was created interactively during Setup Assistant must have the role of Administrator.

Also, it is important to understand here that, if you are using this payload then the system also ignores all other keys in this payload, except for ShowRecoveryKey.

To bridge this gap, I created the below custom configuration profile to ship this key to the Mac, which will be used during enrolment.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>PayloadContent</key>
		<array>
			<dict>
				<key>DeferForceAtUserLoginMaxBypassAttempts</key>
				<integer>-1</integer>
				<key>Enable</key>
				<string>On</string>
				<key>ForceEnableInSetupAssistant</key>
				<true/>
				<key>OutputPath</key>
				<string>"https://portal.manage.microsoft.com"</string>
				<key>PayloadDisplayName</key>
				<string>FileVault-SA</string>
				<key>PayloadIdentifier</key>
				<string>com.apple.MCX.FileVault2.ED155FB6</string>
				<key>PayloadType</key>
				<string>com.apple.MCX.FileVault2</string>
				<key>PayloadUUID</key>
				<string>E0BC271E-6339-4338-BB4D</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
				<key>UserEntersMissingInfo</key>
				<false/>
			</dict>
		</array>
		<key>PayloadDescription</key>
		<string>Enable Filevault in Setup Assistant</string>
		<key>PayloadDisplayName</key>
		<string>filevault2</string>
		<key>PayloadIdentifier</key>
		<string>IRL.BB074437-36A8-4AE5-A82F-D9062972B3FD</string>
		<key>PayloadOrganization</key>
		<string>IRL</string>
		<key>PayloadScope</key>
		<string>System</string>
		<key>PayloadType</key>
		<string>Configuration</string>
		<key>PayloadUUID</key>
		<string>23524AC4-F0E0-4B0D-ADC1-D75AC20D34BF</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
		<key>TargetDeviceType</key>
		<integer>5</integer>
	</dict>
</plist>

Configure The Profile in Intune

Follow the below steps to deploy this custom configuration profile to your Mac devices:

  • Profile type: Select Custom. Or, select Templates > Custom
  • In Basics, enter the name & description

  • Configuration profile name: Enter a name for the policy
  • Deployment channel: Select device channel
  • Configuration profile file: Browse to the .mobileconfig file
  • Assign the profile to the required group.

Demo


The Result

With the profile in place, FileVault activation became a non-negotiable aspect of the Setup Assistant, effectively closing the initial security gap. Users proceeded through the familiar setup flow, witnessing FileVault seamlessly enabled in the background, without requiring any additional interaction.

And, by leveraging the optional "Disable FileVault recovery key creation" setting, the setup process remained user-friendly while maintaining robust security.

Stay tuned for more valuable insights on securing your Mac.