Zehadi Alam
FileVault is a full-disk encryption technology developed by Apple to protect data on Mac computers. The following section demonstrates the process of configuring and deploying a FileVault policy within the Intune environment.
Navigate to Endpoint Security Disk encryption
Select Create Policy
Select macOS for Platform and FileVault for Profile. Click Create at the bottom.
The following is an example of a FileVault configuration. Customize the specific settings to best suit your unique environment and requirements.
Note: The Number of times allowed to bypass setting must be set to a numerical value, otherwise the profile may fail to apply. The minimum value is recommended.
Once the configurations have been established, proceed through the remaining steps and assign the policy to the appropriate device groups. Carefully review the policy settings before finalizing its creation.
After the policy has been successfully applied to the targeted devices, the user will be prompted to enable FileVault on their next sign-in.
The FileVault profile may indicate an error until the user has enabled FileVault. This does not indicate an issue with the FileVault profile configuration itself. Once the user enables FileVault encryption on their next sign-in, the assignment status will indicate success, instead of error for that device.
To retrieve the FileVault recovery key of a Mac device, navigate to Devices macOS. Select a device and navigate to the Recovery keys blade. Select Show Recovery Key to securely retrieve the FileVault recovery key.
In the event of a compromised recovery key, it is possible to manually rotate the recovery key by initiating a remote action on a device.
The encryption status of devices can be monitored in the device dashboard. To achieve this, navigate to Devices macOS. Under columns, select Encrypted.
This will display a dashboard column that will indicate the encryption status of the Mac devices enrolled in Intune.
If a FileVault policy is configured to be applied to the devices under an IT unit's scope, it is also recommended to create a separate configuration profile that prevents the user from disabling FileVault.
To achieve this, navigate to Devices macOS Configuration profiles
Select Create profile
Select Settings catalog for Profile type. Click Create at the bottom.
Click on Add settings
Type in FileVault in the search field under the settings picker and click Search. Choose FileVault > FileVault Options
Select the Prevent FileVault From Being Disabled option
Toggle the setting to the True option
Proceed through the remaining steps and assign the policy to the appropriate device groups. After the policy has been successfully applied to the targeted devices, the option to disable FileVault will be grayed out on the client device.