Encryption Management for Apple FileVault Manual Deployment

Installing the Encryption Management for Apple FileVault Agent

To install Encryption Management for Apple FileVault, perform the following procedure.

  1. Verify that all of the agent installation prerequisites have been completed.

    See Agent Installation Prerequisites.

  2. Verify that the hard disk is not already encrypted, no other full disk encryption product is installed, and that Apple FileVault is disabled.
    1. Go to System Preferences > Security & Privacy.
    2. Select the FileVault tab.
    3. If necessary, click the lock icon () to make changes.
    4. Specify the user name and password for the endpoint.
    5. Click Turn Off FileVault.
  3. Run a hard drive integrity utility on the system drive.

    For example, run Verify Disk from OS X Disk Utility. To use this feature, do the following:

    1. Restart your Mac in Recovery Mode by holding Command + R during startup.
    2. Click Disk Utility.
    3. Select your startup disk.
    4. Click Verify Disk.
    5. If errors are found on the disk, click Repair Disk.
  4. Check with your system administrator about whether you should defragment your system drive.
  5. Copy the installation files to the system drive.
  6. Run TMFDEInstall_FV.exe.
  7. From the Welcome screen, click Continue.

    The Installer checks that the system requirements are met.

  8. If the system requirements are met, click Install.
  9. Select the hard disk to install that agent.
  10. Specify the user name and password of an account with permission to install applications on the endpoint, and click Install Agent

    The installation begins.

  11. Specify the following PolicyServer information:
    Option Description

    Server name

    Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.

    Enterprise

    Specify the Enterprise. Only one Enterprise is supported.

    User name

    Specify the user name of an account with permission to add devices to the Enterprise.

    Password

    Specify the password for the user name.

    Important:

    Make sure that you type the correct password at this time, or you may need to troubleshoot your encryption status later.

  12. After the installation completes, click Close to restart the endpoint.

    The Encryption Management for Apple FileVault agent initiates immediately after the endpoint restarts.

  13. Go to the menu bar () to open the Encryption Management for Apple FileVault agent.
    Note:

    For information about understanding and managing the Endpoint Encryption agent, see the Endpoint Encryption Administrator's Guide.

Creating a Mobile Account for Active Directory on Mac OS

Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS X Mountain Lion or later. Other Mac OS user account types will be unable to initiate encryption.

If a Mac OS account other than a local account or mobile account attempts to initiate encryption, the following notification appears:



The following task shows how to create a mobile account for your Mac OS account to bypass this issue.

  1. Go to System Preferences... in the Apple menu.

    The System Preferences window appears.

  2. Select User Groups under the System section.
  3. Click the lock icon in the lower left corner.
  4. Click Create... next to Mobile account.
  5. On the following screens, select any personal settings, and click Create to proceed from one screen to the next.
  6. When prompted, enter your Active Directory password and click OK.


    Your mobile account has been created. You may now use this mobile account to initate encryption.

Troubleshooting Password and Encryption Issues

After installing Encryption Management for Apple FileVault and restarting the endpoint, Apple FileVault attempts to encrypt the disk.

If the password specified during installation did not match the specified user account, the following window appears:

  • For endpoints with hard drives not using APFS (Apple File System), restart the endpoint again after specifying the correct password. If the password was the issue, Apple FileVault encrypts the endpoint after restarting.

  • For endpoints running Mac OS High Sierra (10.13) with SSDs using APFS, a restart is not required. Apple FileVault encrypts the endpoint after specifying the correct password.

If this problem persists, or if the encryption status displays that the endpoint is not encrypting, then another issue is restricting Apple FileVault functionality. Do the following procedure to determine the location of the issue and whether to send the issue to Trend Micro Support.

  1. From the Apple menu, go to Security & Privacy > FileVault.
  2. If the lock icon is locked, click the lock icon to make changes.
  3. Click Turn On FileVault....

    A window appears that asks for your password.

  4. Type your password and click Start Encryption.

    If your user account has permission to turn on FileVault, your credentials are correct, and FileVault is working properly, FileVault begins encrypting the disk.

  5. If FileVault encounters any issues during encryption after this point, take relevant screenshots of those issues and contact Trend Micro Support.