Credant Enterprise Edition for Mac adds FileVault 2 support
Credant has added support for managing FileVault 2-encrypted Macs to Credant Enterprise Edition for Mac 7.5.x. Based on my working with it over the past couple of weeks, it looks like a solid solution for managing FileVault 2 encryption on both 10.7.x and 10.8.x. For more details, see below the jump.
On the enterprise console’s end, you will need to set the Shield for Mac security policy so that the Encrypt Using FileVault for Mac setting is set to True. The Volumes Targeted for Encryption setting should also be set to System Volume Only. (Both settings are outlined below in red).
Once both changes have been made, commit the policy so that it applies. In my case, I set this on the Default Security Settings, since all the Mac clients I was testing would be encrypted with FileVault 2.
On both 10.7.x and 10.8.x, Credant leverages Apple’s native tools for enabling FileVault 2, which can affect how the encryption is enabled.
On 10.7.x, Credant leverages Universal Access‘ access for assistive devices to open System Preferences and walk the user through enabling FileVault 2 though the FileVault preference pane. This means that the user account that is logged in will need to have admin rights, as the FileVault preference pane requires an admin account’s password to unlock.
On 10.8.x, Credant is using fdesetup to enable FileVault 2. That removes the need for the logged-in user to have admin rights, as the Credant client software can launch fdesetup with root privileges. All the logged-in user will need to provide when prompted is their account’s password.
To show how the process works, I’ve made a video showing the client installation on 10.8.2, registration with the Credant enterprise server using an Active Directory login, and subsequent encryption.
Note: The video has been edited to artificially reduce the amount of time needed for the process and to also remove an installer screen showing the addresses of the Credant server and AD domain.
Run time of the pre-edited video was 12 minutes, 5 seconds.
FileVault 2 Recovery
On both 10.7 and 10.8, Credant’s recovery key solution utilizes the institutional recovery key. Based on my testing, it appears that Credant is generating a FileVaultMaster keychain for each individual machine, rather than setting up one key and sharing it across multiple machines.
From what I’m seeing, it appears that the Credant software does the following to the client Macs:
1. Builds a FileVaultMaster.keychain institutional recovery key for each machine and stores it on the server.
2. Puts a copy of the FileVaultMaster.keychain file with only the public key in the client Mac’s /Library/Keychains directory
3. Initializes encryption on the Mac
4. Restarts the Mac
5. Deletes the FileVaultMaster.keychain file from the Mac’s /Library/Keychains directory
When you need to do recovery on the machine, you would login to the Credant console and access the endpoint listing for the FileVault 2-encrypted Mac. In the endpoint listing, there is a Device Recovery Keys link (outlined below in red).
When you click the Device Recovery Keys link, it will download a .csv file from the Credant console.
To do the recovery, you would run the .csv file through the CREDANT Recovery Utility application (provided with the Credant install media.)
The CREDANT Recovery Utility will then use the information in the .csv file to pull down a couple of scripts, the correct recovery keychain and text files containing the UUID of the encrypted drive and the password for the recovery keychain. These should be stored on an external USB drive.
At that point, you would boot to the Mac’s Recovery HD partition with the USB drive connected to the Mac and run the applicable script (one script is for unlocking the encrypted volume and the other script is for decrypting the encrypted volume.)
The chosen script will run the appropriate action, using the unlock / decrypt procedure that I’ve described in my earlier post on unlocking / decrypting a FileVault 2 encrypted Mac from the command line.