In macOS 11 , the Bootstrap Token can grant a secure token to any user logging in to a Mac computer, including local user accounts. Using the Bootstrap Token feature of macOS In macOS A bootstrap token can also be generated and escrowed to MDM using the profiles command-line tool, if needed. You can then turn it on again to generate a new key and disable all older keys. Decryption occurs in the background as you use your Mac, and only while your Mac is awake and plugged in to AC power.
Not all languages and regions are serviced by AppleCare or iCloud, and not all AppleCare-serviced regions offer support in every language. If you set up your Mac for a language that AppleCare doesn't support, then turn on FileVault and store your key with Apple OS X Mavericks only , your security questions and answers could be in a language that AppleCare doesn't support.
Click the FileVault tab. Click , then enter an administrator name and password. Click Turn On FileVault. Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password : If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.
Choose answers that you're sure to remember. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk. Reset your password or change your FileVault recovery key If you forget your account password or it doesn't work, you might be able to reset your password. Following are the FileVault permissions, which are part of the Remote tasks category, and the built-in RBAC roles that grant the permission:.
Sign in to the Microsoft Endpoint Manager admin center. On the Create a profile page, set the following options, and then click Create :. Name : Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform. Description : Enter a description for the policy. This setting is optional, but recommended. On the Configuration settings page, select FileVault to expand the available settings:.
For Escrow location description of personal recovery key , add a message to help guide users on how to retrieve the recovery key for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.
For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to Devices and select the device that has FileVault enabled, and then select Get recovery key. The current recovery key is displayed.
Configure the remaining FileVault settings to meet your business needs, and then select Next. On the Scope Tags page, choose Select scope tags to open the Select tags pane to assign scope tags to the profile.
On the Assignments page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles. Select Next. The new profile is displayed in the list when you select the policy type for the profile you created. On the Basics page, enter the following properties, and then choose Next.
Consider adding a message to help guide users on how to retrieve the recovery key for their device. To view information about devices that receive FileVault policy, see Monitor disk encryption. Upon encryption, the device displays the personal key a single time to the device user. For managed devices, Intune can escrow a copy of the personal recovery key. Escrow of keys enables Intune administrators to rotate keys to help protect devices, and users to recover a lost or rotated personal recovery key.
Intune escrows a recovery key when Intune policy encrypts a device, or after a user uploads their recovery key for device that they manually encrypted.
There are two methods you can use that enable Intune to take-over management of FileVault in this scenario:. Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, you can use an endpoint security disk encryption profile , or a device configuration endpoint protection profile to encrypt devices with FileVault.
To enable Intune to manage FileVault on a previously encrypted device, the user who encrypted the device can use the Company Portal website to upload their personal recovery key for the device to Intune. Upload of the key enables Intune to assume management of the encryption.
Upon upload, Intune rotates the key to create a new personal recovery key. Intune stores the new key for future recovery needs and makes it available to the device user. Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption.
0コメント