File Vault 2 Administration
This article will outline how to deploy File Vault 2 manually on an existing computer, as well as how to use the administrator interface to validate correct setup. A walkthrough of recovery token retrieval is also provided. File Vault is managed through the JAMP Casper client, thus the Casper client is required before encrypting. Below are the requirements for Casper installation:
- Machine has Mac OS X 10.8 or above
- Machine has a standard Apple recovery partition
- Machine has JAMF Casper agent installed
- Machine is NOT already FileVault 2 encrypted
Casper/FV2 Deployment Preferred
- Machine user account login should identify Northwestern user
- Machine computer name should identify Northwestern department
- Machine is bound to a Northwestern Windows Active Directory domain
- Machine has client backup software prior to encryption
- Machine is up to date will all Mac OS X updates
Installing the Casper Client
Note: Please check with your local IT group before starting the encryption process since they may have different methods for enabling and managing device encryption.
- Download and install the Casper client from here. You'll need the admin password for your machine.
- After installation, open the "Self Service" app from applications, or use spotlight to search for "Self Service".
- Log in with your NetID and password.
- From either the Featured or the Settings section select Encrypt Me from the "NU FileVault 2 Encryption" option. When prompted again, select Encrypt Me.
- When a pop up message appears, select OK then log out.
- To log out, click the Apple icon in the top left of the screen and select Log Out.
- After logging out, you will be prompted for your account password to begin FileVault encryption. Enter your logged in account password and select OK.
Your computer will automatically reboot. You may see a BLACK SCREEN for 1-2 minutes after the FV2 process begins, but then it should present the normal user log-in screen.
- If you are stuck on a BLACK SCREEN for more than 5 minutes, force shutdown the machine. Then boot into SAFE MODE by holding the SHIFT key while pressing the power button. Then reboot normally.
- Upon login you can use your system while encryption is taking place.
System Changes after Setup
Note: The initial FileVault 2 encryption process may take several hours to complete and optimize.
- You can check status of FileVault 2 encryption process by going to System Preferences > Security & Privacy > FileVault
- The Encryption policy settings will enforce encryption on all internal system drives, however will not encrypt any removable storage (e.g. External hard drives, USB flash drives, etc.)
- After FileVault 2 is enabled, if a recovery key is required, contact the IT Support Center at firstname.lastname@example.org, or 847-491-4357 (1-HELP), or your local IT. Support staff can generate a recovery key upon request.
Casper Admin Portal
The Casper IT Admin Portal is a place where Departmental IT Support Staff can recover keys, audit key recovery, and review encryption status during the encryption process. To request access please contact Northwestern IT at email@example.com
DDCA for the requesting department/school will need to approve all requests. The URL for the portal is https://evcasper.ci.northwestern.edu:8443/
Check FileVault 2 Status of a Computer
- Go to the Casper Admin portal.
- Within the Search box, input the exact computer name or use wildcard (*) for partial name matches.
- Click on the computer name (link) to see detailed inventory information.
Within the INVENTORY tab, click Disk Encryption option to view status of FV2 encryption on machine.
- The status displayed will be from the last known check in to Casper by the machine.
- If the FileVault 2 option shows "Not Configured", then no FileVault 2 recovery keys have been saved in Casper.
A good FileVault 2 compliance report would show the following details within Casper:
- FileVault 2 Partition Encryption State = Enabled
- Individual Recovery Key Validation = Valid
- Institutional Recovery Key = Present
Retrieve Recovery Token for a Computer
If a FileVault 2 Recovery Token is required for a computer monitored by Casper, authorized people can generate the token from within the Web UI.
- Log-in to Casper Admin Portal - https://evcasper.ci.northwestern.edu:8443/
- Find the computer within Casper (using process above).
- Click on the Management tab.
- Click on FileVault 2 option, then click Get FileVault 2 Recovery Key button.
The 24-digit FileVault 2 Recovery Key should display on screen, which can be used as temporary password token to login to the machine.
- Note:If the FileVault 2 option shows “Not Configured”, then no FileVault2 recovery key has been escrowed into Casper.
Encrypting external media
- This section will outline how to deal with non-boot volumes, external hard drives, USB flash drives and so on, which FileVault is not designed to encrypt automatically.
Any volume to be encrypted with FileVault must be formatted as OS X Extended (Journaled). Other format types, like FAT for example cannot be encrypted with FileVault.
In Finder, right-click (or control-click) on the volume you wish to encrypt. From the menu, choose Encrypt "volume". For example, in the screenshot below we are about to encrypt the “Data” volume on a USB flash drive.
- Enter a password and hint into the dialog box. It is imperative that you do NOT lose this password, as it will not be stored in Casper. Losing this password means you will not be able to unlock the drive AT ALL, and all data will be lost.
When done entering a password and hint, press Encrypt Disk.
- Encryption compeltion time can vary greatly. A small 8 GB flash drive with little to no data may take minutes. A giant 4 TB external hard drive full of data might take many hours.
When encryption is complete, the next time you plug your device into your Mac you will be prompted to enter the password you set in the previous step, as shown below. Press Unlock to access the contents.
- Note:You can check the box to "Remember this password in my keychain". This will store the password so that you don't have to enter it every time. Do this at your own discretion.