Dell Encryption Enterprise for Mac Administrator Guide v10.9 March 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2021 Dell Inc. All rights reserved.
Contents Chapter 1: Introduction................................................................................................................. 5 Overview................................................................................................................................................................................5 FileVault Encryption............................................................................................................................................................
Chapter 7: Glossary.....................................................................................................................
1 Introduction The Encryption Enterprise for Mac Administrator Guide provides the information needed to deploy and install the client software. Topics: • • • Overview FileVault Encryption Contact Dell ProSupport Overview Encryption Enterprise for Mac can manage FileVault full disk encryption.
2 Requirements Client hardware and software requirements are provided in this chapter. Ensure that the deployment environment meets the requirements before continuing with deployment tasks. Topics: • • Encryption Client Hardware Encryption Client Software Encryption Client Hardware Minimum hardware requirements must meet the minimum specifications of the operating system.
● HFS Plus (MacOS Extended) formatted media with Master Boot Record (MBR) or GUID Partition Table (GPT) partition schemes. See Enable HFS Plus. NOTE: External media must have 55 MB available, plus open space on the media that is equal to the largest file to be encrypted, to host Encryption External Media. Windows Operating Systems (32- and 64-bit) Supported to Access Encrypted Media ● Microsoft Windows 7 SP1 - Enterprise - Professional - Ultimate ● Microsoft Windows 8.1 - Windows 8.
3 Tasks for the Encryption Client Topics: • • • • • • • • • Install/Upgrade Encryption Enterprise for Mac Activate Encryption Enterprise for Mac Collect Log Files for Encryption Enterprise View Encryption Policy and Status System Volumes Recovery Removable Media Uninstall Encryption Enterprise for Mac Uninstall Encryption External Media Install/Upgrade Encryption Enterprise for Mac This section guides you through the Encryption Enterprise for Mac installation/upgrade and activation process.
● If your deployment uses a non-default configuration, ensure that you know the port number for the Security Server. It is needed for client software installation and activation. ● Ensure that the target computer has network connectivity to the Security Server and Policy Proxy. ● Ensure that you have a domain user account in the Active Directory installation configured for use with the Dell Server. The domain user account is used for client software activation.
For kext consent, one or both of these dialogs display. System Extension Blocked System Extension Blocked a. Click OK. b. Click OK. c. To approve these extensions, select System Preferences > Security & Privacy. d. Click Allow next to System software from developer Credant Technologies (Dell, Inc, formerly Credant Technologies). e. Click OK. Complete these steps if the system extension for mounting FDEEM volumes could not be loaded. a. Click Open System Preferences. b. Click OK. c.
NoAuthenticateUsers [In this sample code, users from a specific domain name can log in without being prompted to activate against the Dell Server.] dsAttrTypeStandard:AuthenticationAuthority ;Kerberosv5;;*@domainName.com;domainName.com* NoAuthenticateUsers [In this sample code, specific users can log in without being prompted to authenticate against the Dell Server.
ignore [For handling Mac OS Extended media. Possible values are ignore, provisioningRejected, or unshieldable. ignore - the media is usable (default). provisioningRejected - retains the value in the Dell Server policy, EMS Access to unShielded Media. unshieldable - If the EMS Access to unShielded Media policy is set to Block, the media is ejected. If the EMS Access to unShielded Media policy is not set to Block, it is usable as provisioningRejected. The key and value are case sensitive.
Activate Encryption Enterprise for Mac The activation process associates network user accounts in the Dell Server to the Mac computer and retrieves each account's security policies, sends inventory and status updates, enables recovery workflows, and provides comprehensive compliance reporting. The client software performs the activation process for each user account it finds on the computer as each user logs in to their user account.
DellLogs.zip contains the logs for Mac Encryption Enterprise. For information about how to collect the logs, see http:// www.dell.com/support/article/us/en/19/SLN303924. View Encryption Policy and Status You can view the encryption policy and status on the local computer or in the Management Console. View Policy and Status on the Local Computer To view encryption policy and encryption status on the local computer, follow the steps below. 1. Launch System Preferences and click Dell Encryption Enterprise.
When enabled, FileVault is used to encrypt the System Volume including Fusion Drives, based on the Volumes Targeted for Encryption policy setting. Mac Encryption > Mac Global Settings Volumes Targeted for Encryption System Volume Only or All Fixed Volumes System Volume Only secures only the currently running system volume. All Fixed Volumes secures all Mac OS Extended Volumes on all fixed disks, along with the currently running system volume. 3.
Color Description Green Encrypted portion Red Not encrypted portion Yellow Portion being re-encrypted For example, by a change in encryption algorithms. The data is still secure. It is just transitioning to a different type of encryption. The System Volumes tab displays all volumes attached to the computer residing on GUID Partition Table (GPT) formatted disks. The following table lists examples of volume configurations for internal drives.
Badge Status The saturated volume icon indicates a mounted device. The no-write badge indicates that it is read-only. Encryption is enabled, but the media is not provisioned and Encryption External Media Access to unencrypted Media is set to Read Only. Media encrypted by Encryption External Media, denoted by a Dell badge. View Policy and Status in the Management Console To view encryption policy and encryption status in the Management Console, follow the steps below. 1.
Use this process to enable encryption on a client computer if encryption was not enabled prior to activation. This process enables encryption only for a single computer. You can choose to enable encryption for all Mac computers at the Enterprise level if desired. For additional instructions about enabling encryption at the Enterprise level, see AdminHelp. 1. As a Dell administrator, log in to the Management Console. 2. In the left pane, click Populations > Endpoints. 3.
NOTE: If you allow this dialog to time out, you must reboot or log in for the password dialog to display again. 4. Click OK. 5. Be sure that each user has a secure token. See https://www.dell.com/support/article/us/en/19/sln309192/mobile-usersunable-to-activate-dell-encryption-enterprise-for-mac-on-macos-high-sierra?lang=en. If the account the user was logged into is a non-mobile network account, a dialog displays.
NOTE: For this example, trailing asterisks represent the latter part of the authentication authority records. Typically, to avoid under-specifying, include the complete record instead of a trailing asterisk because the asterisk matches any information after the colon in the OpenDirectory record. ● The NFSHomeDirectory key requires that any user passing the first key must also have a home directory in /Users/. NOTE: You must create the home folder if one does not exist for a user. 3. Reboot the computers. 4.
3. (FileVault-encrypted non-boot volumes only) To allow Dell Encryption to assume management of the volume, enter the passphrase to access the volume. This is the password that was assigned to the volume when it was originally FileVaultencrypted. Once Dell manages the volume's encryption, the old password is no longer valid. Your Dell administrator can retrieve a recovery key for your volume in the event that you should need recovery assistance.
1. Launch System Preferences and click Dell Encryption Enterprise. 2. Select the Removable Media tab. 3. Right-click a drive row, and simultaneously press the command key. A hidden menu item displays. 4. Click Copy allowlist rule for the current removable media. The allowlist rule is copied to the Clipboard. 5. Access the Clipboard, copy the allowlist rule, and send it to your administrator. If the Mac Media Encryption policy is toggled On, data is encrypted, including Thunderbolt drives.
This section guides you through the process of using FileVault Recovery when FileVault encryption is on the endpoint to be recovered. FileVault can be used with Encryption Enterprise for Mac v8.11 or later running on macOS Sierra 10.12.6. FileVault recovery is also used on Fusion Drives. FileVault Recovery Recovery of a managed FileVault-encrypted volume is dictated by Apple and is automated where possible but requires a few more steps.
Process - Launch the Dell Recovery Utility and recover the FileVault volume 1. In the Utilities folder located in the Dell installation media, launch the Dell Recovery Utility. The Dell Recovery Utility > Select Volumes dialog displays. NOTE: The Recovery Utility must be the same or newer version than the version of client software installed on the computer targeted for recovery. 2. In the Dell Recovery Utility > Select Volumes, select the FileVault volume.
3. Run the command in Terminal. Recovery Keychain You must run the Dell Recovery Utility while it is booted to a non-encrypted recovery volume. Prerequisites ● ● ● ● An external recovery volume or computer that will be running the recovery utility A USB drive A Firewire cable The Dell installation media Management Console - Save the recovery bundle 1. Open the Management Console. 2. In the left pane, click Populations > Endpoints. 3. 4. 5. 6. 7. Search for the device to recover.
Ensure that all users have read/write access to the USB or other disk you use to store the recovery key and that the disk has adequate space. If you do not have rights to a selected disk or if the disk is out of space, an error displays indicating that the recovery keys have not been stored. 11. Select a location and click Save. The Recovery Operation Result dialog displays, indicating the files have been created. 12. Click Close. 13.
● Versioning - Existing versioning data is removed from the disk. ● Hard links - During an encryption sweep of the removable media, the file is not encrypted. A dialog recommends ejecting the media. ● Media containing Time Machine backups: ○ Media recognizably used by the computer as a Time Machine backup destination is automatically allowlisted to allow backups to continue. ○ All other removable media with Time Machine backups is based on policy governing unprovisioned media and unprotected media.
If Deny is selected, the uninstallation and decryption are unable to continue. b. Enter the administrator password. 2. After the disk is fully decrypted, restart the computer (when prompted). 3. After the computer restarts, launch the Uninstall Dell Encryption Enterprise application (located in the Utilities folder in the Dell-Encryption-Enterprise-.dmg in the Dell installation media). Messages display the status of the uninstallation.
4 Activation as Administrator The Client Tool offers the administrator new methods for activating the client software on a Mac computer and examining the client software. Two methods of activation are available: ● Activation using administrator credentials ● Temporary activation that emulates the user without leaving footprints on that computer. Both methods can be used directly through a shell, or in a script.
5 Using Boot Camp Topics: • • Mac OS X Boot Camp Support Recovery of Encryption Enterprise for Windows on Boot Camp Mac OS X Boot Camp Support NOTE: When using Boot Camp, Dell Encryption Enterprise does not encrypt the Windows operating system. Also, if two or more bootable macOS partitions exist on the device, Encryption Enterprise encrypts only the primary volume. Boot Camp is a utility included with Mac OS X that assists you in installing Windows on Mac computers in a dual-boot configuration.
● Bootable USB drive or ● FAT partition on the external Boot Camp volume 3. Shut down the computer with the Boot Camp volume to be recovered. 4. Connect the external drive to the computer. This drive contains the Boot Camp volume created in step 1. 5. To boot the computer from the external Boot Camp drive, do one of these: ● Simultaneously press and hold the Command-R keys before the Power-On/Self-Test chime and during the computer boot-up.
6 Client Tool The Client Tool is a shell command that runs on a Mac endpoint. It is used to activate the client from a remote location or to run a script through a remote management utility. As administrator, you can activate a client and do the following: ● Activate as administrator ● Activate temporarily ● Retrieve information from the Mac client To use the Client Tool manually, open a ssh session and enter the desired command on the command line. Example: /Library/PreferencePanes/Dell\ Encryption\Enterpr
Table 1. Client Tool Commands (continued) Command Purpose Syntax Results -fc deviceId pathToKeychain keychainPassword 10 = Credential failure 11 = Escrow failed -fc deviceId recoveryFile NOTE: deviceId must be a Logical Volume UUID or resolved to exactly one LVUUID. Often, a mount point or devnode works.
To retrieve the client's disk status and prints it.
7 Glossary Security Server - Used for activations of Dell Encryption. Policy Proxy - Used to distribute policies for client software. Management Console - Dell Server's administrative console for the entire enterprise deployment. Shield - Occasionally, you may see this name in the documentation and in the user interfaces. "Shield" is a name used to represent Dell Encryption.