View Escrowed Personal Recovery Key on the UEM Console Once FileVault is enabled on the device, the Personal Recovery Key will be reported to a Workspace ONE UEM server or another designated server. Personal recovery encryption is useful if the user wants the benefit of viewing and keeping a Personal Recovery Key from decrypt.Ĭhoose Personal as the recovery type and configure the recovery key settings as needed. After a reboot, the device will begin the encryption process in the background and the user can continue their daily tasks normally without fear of interruption.Įnable Personal Recovery Encryption for a macOS Device If configured, users may also be shown the recovery key to give them the option of saving it for later use. Once this profile is deployed to the device, the user will see a prompt from the Workspace ONE Intelligent Hub taking them through the process of encrypting the disk. This means that the compromise of one key on one device does not compromise the security of other devices. Also, Personal keys are beneficial because they are unique to each device. Use Personal keys rather than Enterprise keys because Workspace ONE UEM can audit access to these keys, since they are escrowed in the UEM console. Additionally, that key can be reported to the UEM console to allow administrators to use the key to decrypt the device if necessary. Once FileVault is enabled on the device, the Institutional Recovery Key will be reported to the server.Įnabling Personal as the recovery type will allow the user of the device to use a recovery key to decrypt their device. For more information, see the Configure a FileVault Institutional Recovery keysection. Configure a FileVault Master Keychain.Choose Institutional as the recovery type and configure the recovery key settings as needed.Generally, Institutional recovery is reserved for Corporate Owned, Line-of-Business devices where the user does not have the ability to decrypt the device if they forget the login password. Institutional recovery is beneficial because the network administrator can decrypt any device using a single Institutional Recovery Key, saving time by not needing to enter a unique Personal Recovery Key for each computer. Once FileVault is enabled on the device, the Personal Recovery Key will be reported to the server. Upload the FileVaultMaster.cer to the Disk Encryption profile to encrypt the assigned computers with your Institutional Recovery Key For more information, see the Configure a FileVault Institutional Recovery key section.
Choose Personal & Institutional as the recovery type and configure the recovery key settings as needed.
Once the decision is made to encrypt your managed devices, you have options that allow you to choose the best recovery model for your deployment. With FileVault2, Workspace ONE UEM builds on native capabilities to encrypt the drive and provides functionality within the Workspace ONE Intelligent Hubto force the user to complete the encryption process. Enforce an encryption policy on macOS computers to protect data on the hard drive and escrowing recovery keys stored in Workspace ONE UEM so the keys can be recovered at later time.
0 kommentar(er)
