Apple’s macOS has the ability to encrypt the hard drive of the system. If a user forgets this passphrase or is unable to unlock the system with the regular macOS password, a Personal Recovery Keys (PRKs) can be used to boot a system.
Symantec Endpoint Encryption includes the ability to easily manage the Personal Recovery Keys for these macOS systems encrypted with FileVault. This article will cover the Configuration, Installation and Recovery pages for the SEE FileVault Client.
In addition to managing the Personal Recovery Key the SEE FileVault client can be configured to use an “Institutional Recovery Key”, so if the PRK or user password cannot unlock a system, the IRK can be used to do so.
See the following articles for additional information related to this topic:
213010 - How to create a SEE Client and Institutional Recovery Key for Symantec Endpoint Encryption FileVault Recovery (client creation)
213004 - Using a Personal Recovery Key to unlock a machine managed by the Symantec Endpoint Encryption FileVault Client
213006 - Using the SEE Helpdesk Web Portal to obtain the Personal Recovery Key for SEE FileVault clients
150976 - Symantec Endpoint Encryption FileVault Client Personal Recovery Key Screens
First, if you open the System Preferences and go to Security and Privacy, you will notice the system is not encrypted with FileVault, indicated by the button “Turn On FileVault”:
At the end of this article, we’ll show you what it looks like once the system has been encrypted with FileVault and the Personal Recovery Keys now being managed by Symantec Endpoint Encryption.
First, obtain the SEE FileVault installer application:
Once you double-click, go through the wizard to install:
You will be asked to authenticate your macOS password to install or provide a fingerprint if configured:
Once complete, you’ll see the following screens and be prompted to reboot in order to start encryption:
Once the system reboots, the user may see the following screen indicating encryption will be enabled:
Once the user clicks “Enable Now”, the following screen will show up:
Once the system has been rebooted and you log back in to the user profile, encryption should automatically start and this happens even if the system is not connected to the SEE Management Server:
Important: It is important the SEE Client is able to communicate with the SEE Management Server in order to send up the recovery key. If there is no communication link, the Personal Recovery Key cannot be uploaded to the server for management.
The user will then be prompted to enter the password for the macOS profile in order to send the Personal Recovery Key to the server:
You can then open the FileVault preferences and see encryption is taking place:
Once encryption has completed, you will be able to see there is a recovery key that has been configured that SEE Management Server will then be able to manage:
Now if the user forgets the passphrase, they can call the helpdesk group and the recovery key can then be used to unlock the machine and reset the user’s password.
To see screenshots of how a recovery key is entered at macOS, see article X.