Home > FileVault 2, Mac administration > Credant Enterprise Edition for Mac adds FileVault 2 support

Credant Enterprise Edition for Mac adds FileVault 2 support

Credant has added support for managing FileVault 2-encrypted Macs to Credant Enterprise Edition for Mac 7.5.x. Based on my working with it over the past couple of weeks, it looks like a solid solution for managing FileVault 2 encryption on both 10.7.x and 10.8.x. For more details, see below the jump.

Enterprise console

On the enterprise console’s end, you will need to set the Shield for Mac security policy so that the Encrypt Using FileVault for Mac setting is set to True. The Volumes Targeted for Encryption setting should also be set to System Volume Only. (Both settings are outlined below in red).

Screen Shot 2012-11-29 at 11.01.56 AM

Once both changes have been made, commit the policy so that it applies. In my case, I set this on the Default Security Settings, since all the Mac clients I was testing would be encrypted with FileVault 2.

Client encryption

On both 10.7.x and 10.8.x, Credant leverages Apple’s native tools for enabling FileVault 2, which can affect how the encryption is enabled.

On 10.7.x, Credant leverages Universal Access‘ access for assistive devices to open System Preferences and walk the user through enabling FileVault 2 though the FileVault preference pane. This means that the user account that is logged in will need to have admin rights, as the FileVault preference pane requires an admin account’s password to unlock.

On 10.8.x, Credant is using fdesetup to enable FileVault 2. That removes the need for the logged-in user to have admin rights, as the Credant client software can launch fdesetup with root privileges. All the logged-in user will need to provide when prompted is their account’s password.

To show how the process works, I’ve made a video showing the client installation on 10.8.2, registration with the Credant enterprise server using an Active Directory login, and subsequent encryption.

Note: The video has been edited to artificially reduce the amount of time needed for the process and to also remove an installer screen showing the addresses of the Credant server and AD domain.

Run time of the pre-edited video was 12 minutes, 5 seconds.

FileVault 2 Recovery

On both 10.7 and 10.8, Credant’s recovery key solution utilizes the institutional recovery key. Based on my testing, it appears that Credant is generating a FileVaultMaster keychain for each individual machine, rather than setting up one key and sharing it across multiple machines.

From what I’m seeing, it appears that the Credant software does the following to the client Macs:

1. Builds a FileVaultMaster.keychain institutional recovery key for each machine and stores it on the server.

2. Puts a copy of the FileVaultMaster.keychain file with only the public key in the client Mac’s /Library/Keychains directory

3. Initializes encryption on the Mac

4. Restarts the Mac

5. Deletes the FileVaultMaster.keychain file from the Mac’s /Library/Keychains directory

When you need to do recovery on the machine, you would login to the Credant console and access the endpoint listing for the FileVault 2-encrypted Mac. In the endpoint listing, there is a Device Recovery Keys link (outlined below in red).

Screen Shot 2012-12-14 at 3.24.15 PM  

When you click the Device Recovery Keys link, it will download a .csv file from the Credant console.

Screen Shot 2012-12-14 at 4.11.12 PM

To do the recovery, you would run the .csv file through the CREDANT Recovery Utility application (provided with the Credant install media.)

Screen Shot 2012-12-14 at 4.10.53 PM

The CREDANT Recovery Utility will then use the information in the .csv file to pull down a couple of scripts, the correct recovery keychain and text files containing the UUID of the encrypted drive and the password for the recovery keychain. These should be stored on an external USB drive.

Screen Shot 2012-12-14 at 4.11.19 PM Screen Shot 2012-12-14 at 4.11.35 PM Screen Shot 2012-12-14 at 4.12.07 PM Screen Shot 2012-12-14 at 4.12.18 PM

At that point, you would boot to the Mac’s Recovery HD partition with the USB drive connected to the Mac and run the applicable script (one script is for unlocking the encrypted volume and the other script is for decrypting the encrypted volume.)

The chosen script will run the appropriate action, using the unlock / decrypt procedure that I’ve described in my earlier post on unlocking / decrypting a FileVault 2 encrypted Mac from the command line.

  1. December 17, 2012 at 2:23 am

    This is going to be a huge benefit to our clients who have Credant infrastructure.

  2. John Altonen
    December 20, 2012 at 2:26 pm

    Is there any enforcement ? Can an admin user decrypt their own drive ?

    • December 20, 2012 at 2:33 pm

      FileVault 2-enabled user accounts have rights to both unlock and decrypt the drive. Credant has functionality to detect on reboot if the drive is not encrypted and will then re-run the encryption initialization process.

      • b0b Sandkam
        May 9, 2013 at 7:22 pm

        We are testing with Credant.
        The install has gone smoothly, just as your article describes.
        However, when we manually turned off FileVault and restarted the computer, it did not enforce encryption (re-run the encryption initialization process).
        Any thoughts?

  3. Robert B Sandkam
    January 28, 2013 at 4:28 pm

    What are the requirements (if any) on the server side, in order to use Credant Enterprise Edition for Mac 7.5.x?

    • January 28, 2013 at 4:35 pm

      You’ll need to have Credant Enterprise Server 7.5 or later and have the appropriate licenses for Mac clients registered. You may want to check with Credant’s support folks for the details: http://www.credant.com/support.html

      • Robert B Sandkam
        January 29, 2013 at 8:10 pm

        Using Bitlocker with Credant on the Windows platform requires additional licensing fees. Are there any additional licensing costs to use the FileVault method of encryption?

      • January 29, 2013 at 8:35 pm

        I’ll have to refer you back to Credant on that one. They provided me with evaluation licenses.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: