Overview

Encryption is essential for securing data on both Windows and macOS devices. In this document, we cover two primary encryption technologies used in educational environments:

• BitLocker for Windows

• FileVault for macOS

This guide provides an overview of these encryption methods, their deployment processes, and troubleshooting tips for common issues.

Encryption for Mac and PC

BitLocker (Windows)

Purpose

BitLocker is a built-in encryption tool for Windows that helps protect data by encrypting the entire system drive. It uses the Trusted Platform Module (TPM) to secure the encryption keys and ensure that only authorized users can access the data.

Deployment

At the time of imaging, BitLocker is typically pushed out through Config Manager and enforced via Group Policy settings to ensure all systems are encrypted from the moment they are set up. This process ensures compliance with organizational security policies.

Configuration Steps

1. Enable BitLocker:

   • Open the Control Panel and navigate to BitLocker Drive Encryption.

   • Select the drive to encrypt, then follow the prompts to configure it using the TPM module.

2. Manage BitLocker Keys:

   • Recovery keys are stored in Active Directory, Microsoft Entra, or Intune for managed devices.

3. TPM Configuration:

   • TPM must be enabled in the BIOS for BitLocker to function. If TPM issues arise, firmware updates or system resets may be required.

Troubleshooting

Microsoft Documentation on BitLocker: This is a helpful resource for general troubleshooting steps related to BitLocker, including common issues like recovery key prompts and TPM configuration problems. Microsoft BitLocker Troubleshooting Guide

FileVault (macOS)

Purpose

FileVault is the encryption technology used for macOS devices. It encrypts the entire drive to protect data from unauthorized access. FileVault is particularly crucial in environments where sensitive data must remain secure, even if a device is lost or stolen.

Deployment

For macOS devices, FileVault can be enabled manually or through JAMF (macOS device management software). Encryption is typically set up during the device provisioning process.

Configuration Steps

1. Install macOS and create a local user account.

2. Set Up FileVault:

   • Open System Preferences > Security & Privacy > FileVault.

   • Click Turn On FileVault to begin the encryption process.

   • Ensure that the ATUS account is enabled for recovery purposes.

3. Enable Secure Token:

   • Secure Tokens must be enabled for the ATUS and local admin accounts to manage FileVault.

   • Use Terminal commands (sysadminctl -secureTokenOn) to manage Secure Tokens.

Troubleshooting

Apple Documentation on FileVault: This is a valuable resource for understanding how to enable and manage FileVault on macOS. It covers troubleshooting steps for common issues, such as managing recovery keys, turning on encryption, and what to do if you forget your password. Apple's FileVault guide is a great starting point for anyone looking to secure their data using macOS's built-in encryption feature.
Apple FileVault Support Page

Troubleshooting

BitLocker

1. TPM Missing or Recovery Key Prompt:

   • Issue: Some Dell models may experience a disappearing TPM, causing BitLocker to prompt for a recovery key on reboot.

   • Solution: Power down the system, unplug it for a minute, then restart to temporarily restore the TPM. A TPM firmware update or motherboard replacement may be needed for a permanent fix.

   • More Details: Visit https://wwuhelp.atlassian.net/wiki/spaces/IKB/pages/1738309633 .

2. BitLocker Recovery Screen Not Appearing:

   • Issue: The system fails to show the BitLocker recovery screen, showing a Windows troubleshooting screen instead.

   • Solution: Change the BIOS storage setting from RAID to AHCI, then reboot to prompt for the recovery key. Once decrypted, switch back to RAID.

   • More Details: Visit https://wwuhelp.atlassian.net/wiki/spaces/IKB/pages/1916207105 .

3. Retrieving BitLocker Keys:

   • Issue: The system is requesting the recovery key and it needs to be retrieved from AD or Intune.

   • Solution: Use Active Directory, Microsoft Entra, or Intune to retrieve the key based on the device name or recovery key ID.

   • More Details: Visit https://wwuhelp.atlassian.net/wiki/spaces/IKB/pages/1795817473 .

FileVault

1. Secure Token Status:

   • Issue: The Secure Token for the ATUS account or local admin account is disabled, preventing proper FileVault setup.

   • Solution: Enable the Secure Token using the following Terminal command:

     bash

     Copy code

     sysadminctl -secureTokenOn <username> -password <password> -adminUser <adminUsername> -adminPassword <adminPassword>

   • More Details: Visit https://wwuhelp.atlassian.net/wiki/spaces/~841530527/pages/1874067457 .

2. Login Screen Differences:

   • Issue: Intel-based Macs and Apple Silicon Macs show different login screens when encrypted with FileVault.

   • Solution: This is expected behavior; ensure users are aware of these differences. No action is required unless further issues arise.

3. Secure Token Management:

   • Issue: FileVault devices require Secure Token management to allow administrators to reset passwords and manage encryption.

   • Solution: Ensure that all admin accounts have Secure Token enabled to maintain full control over the FileVault encryption process.

   • More Details: Visit https://wwuhelp.atlassian.net/wiki/spaces/IKB/pages/1971552257 .

JAMF Deployment (Placeholder)

This section will be updated with specific instructions for deploying FileVault through JAMF once additional input from the Mac System Admins is obtained.

For additional resources or questions, refer to the detailed articles linked above or contact your IT team for assistance.