Apple @ Work is brought to you by Mosyle, the leader in modern mobile device management (MDM) and security for Apple enterprise and education customers. Over 22,000 organizations leverage Mosyle solutions to automate the management and security of millions of Apple devices daily. Request a FREE account today and discover how you can put your Apple fleet on auto-pilot at a price point that is hard to believe.
Apple’s design for enterprise security strategy has done a lot to quell the frustration with enterprise security. When Apple built the kextless security endpoint, it was saying that employee experience matters. One of the reasons people have always hated their work computers is because they were a pain to use. Truthfully, many Windows environments have so much “bloatware” added to protect the employee from installing things they shouldn’t and verifying compliance that the employees have trouble doing their job. Apple took a different approach with how it implemented security and how it built its MDM protocol. Over the next three weeks, I will take an in-depth look at three of them.
About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
There are multiple innovations that Apple has implemented on macOS that have served enterprise customers well without compromising security or functionality. This week, I want to dive into three critical parts of Apple’s security strategy in the enterprise to see how some of their innovations have led to better acceptance from CISOs, CTOs, and CIOs. First, this week, I want to look into FileVault 2.
What is FileVault 2?
FileVault 2 has been a crucial part of enterprise customers, ensuring that data stored locally on computers cannot be accessed if the machine is lost. It uses XTS-AES–128 encryption with a 256-bit key to ensuring data cannot be accessed without authorization.
FileVault made its first appearance in OS X Lion and is still being used today. Personal users can enable it under the Security & Privacy tab in System Preferences. Still, it can also be enabled through a mobile device management vendor to be force-enabled for all machines in your fleet. The recovery key can be stored securely in your MDM as well.
When people running Windows think about full disk encryption, they probably believe it will slow down their computer. With macOS, you barely know it’s running. Initial encryption happened in the background and only when your Mac is plugged into AC power.
When encryption is finished, you’ll restart your Mac, and your Mac password will unlock your disk and allow your Mac to finish unlocking itself. FileVault 2 requires that you log in every time your Mac starts up, so no account can log in automatically.
Why should IT enable FileVault 2?
IT departments should enable FileVault 2 on all their computers because it will ensure that sensitive company data cannot be accessible even if physical access to a machine is gained. When verifying security for compliance reasons, FileVault 2 is a must-have.
There is almost no performance loss, but there is a lot gained in terms of security. End-users will likely never know they’re using FileVault 2.
What about T2 Macs?
All Macs with the T2 chip already have their hard drives encrypted even without FileVault 2. It’s still recommended that FileVault 2 gets enabled, so automatic log-in cannot be enabled. The only time you don’t want to use FileVault is for Macs in shared areas (school labs, etc.).
Wrap-up
Almost all MDM vendors now will integrate with FileVault 2 and make the integration of enabling and reporting back the recovery a turn-key process. Because it’s accomplishing a vital security task of encrypting all data on the disk when the machine is locked without noticeable performance impact for the user, it’s highly recommended for all enterprise IT departments.
As we continue with this series, you’ll notice a key aspect of Apple’s enterprise security strategy: implementation without performance impact.
Apple @ Work is brought to you by Mosyle, the leader in modern mobile device management (MDM) and security for Apple enterprise and education customers. Over 22,000 organizations leverage Mosyle solutions to automate the management and security of millions of Apple devices daily. Request a FREE account today and discover how you can put your Apple fleet on auto-pilot at a price point that is hard to believe.
FTC: We use income earning auto affiliate links. More.
