How to install and use the SEE FileVault client to enable encryption and manage Recovery Keys with the SEE Management Server
search cancel

How to install and use the SEE FileVault client to enable encryption and manage Recovery Keys with the SEE Management Server

book

Article ID: 213002

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Apple’s macOS has the ability to encrypt the hard drive of the system.  If a user forgets this passphrase or is unable to unlock the system with the regular macOS password, a Personal Recovery Keys (PRKs) can be used to boot a system. 
 
Symantec Endpoint Encryption includes the ability to easily manage the Personal Recovery Keys for these macOS systems encrypted with FileVault.  This article will cover the Configuration, Installation and Recovery pages for the SEE FileVault Client.

In addition to managing the Personal Recovery Key, the SEE FileVault client can be configured to use an “Institutional Recovery Key”, so if the PRK or user password cannot unlock a system, the IRK can be used to do so.  

 

See the following articles for additional information related to this topic:


213010 - How to create a SEE Client and Institutional Recovery Key for Symantec Endpoint Encryption FileVault Recovery (client creation)

213004 - Using a Personal Recovery Key to unlock a machine managed by the Symantec Endpoint Encryption FileVault Client

213006 - Using the SEE Helpdesk Web Portal to obtain the Personal Recovery Key for SEE FileVault clients

150976 - Symantec Endpoint Encryption FileVault Client Personal Recovery Key Screens

Resolution

First, if you open the System Preferences and go to Security and Privacy, you will notice the system is not encrypted with FileVault, indicated by the button “Turn On FileVault”:

At the end of this article, we’ll show you what it looks like once the system has been encrypted with FileVault and the Personal Recovery Keys now being managed by Symantec Endpoint Encryption.

First, obtain the SEE FileVault installer application:

Once you double-click, go through the wizard to install:

You will be asked to authenticate your macOS password to install or provide a fingerprint if configured:

Once complete, you’ll see the following screens and be prompted to reboot in order to start encryption:

Once the system reboots, the user may see the following screen indicating encryption will be enabled:

Once the user clicks “Enable Now”, the following screen will show up:

Once the system has been rebooted and you log back in to the user profile, encryption should automatically start and this happens even if the system is not connected to the SEE Management Server:

Important: It is important the SEE FileVault Client is able to communicate with the SEE Management Server in order to send up the recovery key.  If there is no communication link, the Personal Recovery Key cannot be uploaded to the server for management.  

The user will then be prompted to enter the password for the macOS profile in order to send the Personal Recovery Key to the server:

You can then open the FileVault preferences and see encryption is taking place:

Once encryption has completed, you will be able to see there is a recovery key that has been configured that SEE Management Server will then be able to manage:

Now if the user forgets the passphrase, they can call the helpdesk group and the recovery key can then be used to unlock the machine and reset the user’s password.

To see screenshots of how a recovery key is entered at macOS, see article :

https://knowledge.broadcom.com/external/article/213004

 

 

Additional Information

Troubleshooting:
174845 - Troubleshooting Symantec Endpoint Encryption for File Vault Add User Dialog keeps coming up

225093 - Mac FileVault Client cannot connect to Endpoint Encryption Management Server

161042 - See Section "About the Symantec Endpoint Encryption for FileVault logs"

Powered by Wolken Software