If you are using macOS 10.9 and later versions, configure the disk encryption profile and push the profile to the device, whether the Workspace ONE Intelligent Hub is installed or not. Other Workspace ONE UEM enhancements with 10.9 and later versions include the role-based access for recovery keys and the ability to audit who views recovery keys and when.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add.
  2. Select Apple macOS and then select Device Profile. This profile is only applicable to the entire device.
  3. Configure the profile's General settings.
  4. Select the Disk Encryption payload and configure the following settings.
    Native Device Management (FileVault 2 Encryption Settings) Description
    Recovery Key Type Select the type of recovery key required to decrypt the disk. The available options are Personal, Institutional, and Personal and Institutional.
    FileVault Enterprise Certificate This option appears only when you select Institutional or Personal and Institutional recovery key type. Select the FileVaultMaster.cer for the disk encryption that was uploaded into the Credentials payload. For information about using certificates with the disk encryption profile, see the Institutional Recovery for macOS devices section.
    Display Personal Recovery Key Enable the option to display the personal recovery key to the user when the key is generated.
    Escrow Personal Recovery Key to UEM Server

    Enable the option to retain the recovery key on the UEM server so that it is always accessible in the Device Details page. For information about recovery keys, see the configuration profile reference guide in the Apple Developer portal.

    FileVault User Select the type of user to enable for FileVault. The available user types are:
    • Current or Next Login User - Enables FileVault for the user who is logged in when the profile is installed. If no user is logged in, then the next local or mobile user account is prompted to enable FileVault.
    • Specific User - Enables FileVault only to a specifically defined user.
    Username If Specific User is selected as the FileVault user type, enter the user name for the account.
    When to prompt user To prompt the user to enter the password to enable FileVault at different stages, select one of the following options:
    • Both Login and Logout
    • Logout Only
    • Login Only
    Bypass Login(s)

    Enter the number of times a user can bypass the FileVault prompt during login. Min number of times is 0 and max number of times is 10.

    Require user to unlock FileVault after hibernation

    Enable the option to require a password to unlock the FileVault after hibernation and to restore the state of the FileVault when it was last saved.

    Intelligent Hub Device Management Settings Description
    Use Intelligent Hub for enforcement Enable or disable the Intelligent Hub enforcement of disk encryption.

    If disabled, no Hub notifications are prompted to the user. Only the native device management settings that are defined are applied.

    Encryption disabled notification Enable the option to display the notification to the user to log out allowing the operating system to prompt users for their password to start encryption.
    Notification title Enter the title for the encryption notification. Min length is 1 char and max length is 29 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Notification Message Enter the message for the encryption notification stating the user to log out and log back in when prompted. Min length is 1 char. Keeping the message under 135 characters avoids truncating the notification in the Notification pane. However, message with 63 characters is the max for keeping the notification preview from being truncated. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Notification dismissal Enter the number of times for the user to close logout notifications. Min number of attempts is 0 and max number of attempts is 100.
    Dismissal interval Enter the time interval between dismissed notifications. Min interval is 1 hour, and max interval is 168 hours.
    Action after last dismissal Select the action type that must take place after the last allowed notification dismissal.
    • Force Logout - Automatically sends notifications to the users after the last allowed dismissal prompting to save their work before the system automatically logs them out.
    • Do Nothing - No action is taken.
    Prompt for password if encrypted Enable the option for the Hub to prompt users for their password to rotate the recovery key to escrow if the device has already been encrypted.
    Notification title Enter the title for notification requesting for the password that allows Hub to rotate the recovery key. Min length is 1 char and max length is 29 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Notification message Enter the message for notification requesting for the password that allows Hub to the rotate recovery key. Min length is 1 char. Keeping the message under 135 characters avoids truncating the notification in the Notification pane. However, message with 63 characters is the max for keeping the notification preview from being truncated. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Dismissal interval Enter the time interval between dismissed notifications. Min interval is 1 hour, and max interval is 168 hours.
    Prompt title Enter the title for the password prompt to rotate the FileVault recovery key. Min length is 1 char and max length is 50 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Prompt message Enter the message for the password prompt to rotate the FileVault recovery key. Min length is 1 char and max length is 50 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Success title Enter the title for the notification when the recovery key validation is successful. Min length is 1 char and max length is 50 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Success Message Enter the message for the notification when the device is compliant with the organization's disk encryption policy after successful password entry. Min length is 1 char and max length is 150 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Error title Enter the title for the error notification when the recovery key rotation fails. Min length is 1 char and max length is 50 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Error Message Enter the error message stating the user to contact the IT administrator when the recovery key rotation fails. Min length is 1 char and max length is 150 char. Allowed characters are:
    • a–z, A–Z
    • 0–9
    • Special characters - #,;:'"?.!@{}+_-
    Retries before error message Enter the maximum number of passwords retry attempts before displaying an error notification that asks end user to contact the IT administrator. As an admin, you can view the corresponding error event logs in the HubEventLogs.log file and take the necessary troubleshooting steps.

    Once the error is fixed, use the following hubcli command to reset the Hub to prompt for password retry attempts.

    sudo hubcli reset-recoverykey

  5. Select Save & Publish to push the profile to the devices.
    Note: If no CoreStorage logical volume groups are found, the Disk encryption fails and errors out. Disk encryption can be determined by running the following command on devices (10.12.6 or lower) without FileVault 2. If no CoreStorage Volumes are found, the drive must be reformatted using FileVault 2.

    diskutil cs list