Hi and welcome to a new ITSpecialist.News tutorial!
Do you want to make sure that the disks of your corporate Macs are encrypted right from the very first boot? In this video I’ll show you how to enable FileVault already during the Setup Assistant phase, using Microsoft Intune.
Enabling FileVault from the very beginning of the Mac lifecycle is an excellent security practice and, from my point of view, the best moment to do it, so that you don’t bother users later with logout popups or similar prompts.
📰 What do you prefer? Video or article?
Here are a few notes to help you get the most out of this content.
If you prefer to watch the full video, easy: you can find it up here in the header.
If you prefer reading, that’s easy too: just keep going here. For each step I’ve added a link to the specific video segment (it will open on YouTube), so you’ll only see the screens you’re interested in, without my talking face.
In any case, subscribe to the newsletter to make sure you don’t miss any new tutorial releases.
Perfect, let’s get started!
✅ Prerequisites: what you need before you start
Before you dive into the configuration, make sure you have everything you need:
The Mac must be registered in Apple Business Manager and managed through Automated Device Enrollment.
You must know (and write down) the name of the enrollment profile configured in Intune.
Still within the enrollment profile, the “Await final configuration” option must be set to Yes.
These three elements are essential to make everything work correctly.
🔎 Check the enrollment profile
Sign in to the Intune portal and locate the enrollment profile associated with the Macs.
Take note of its name and immediately check that the “Await final configuration” setting is enabled. It will be useful in a moment.
🧩 Create a Device Filter
Now create a Device Filter. What is it for? It allows you to apply the FileVault policy immediately during enrollment. This way, Intune evaluates the policy in real time and applies it without delays.
We will use the device filter in the assignment we’ll configure in the policy in a moment.
⚒️ Configure the FileVault policy
It’s time to create the actual policy by properly configuring the settings.
I’m listing them below for convenience, section by section as you’ll find them in the Settings Catalog.
FileVault
Defer —> Enabled
Recovery Key Rotation In Months —> 1 month
Enable —> On
Force Enable In Setup Assistant —> True
FileVault Options
Prevent FileVault From Being Disabled —> True
FileVault Recovery Key Escrow
Location —> Company Portal Web (Note: here you can actually write whatever you prefer, as long as it’s a concise and clear indication of how/where the user can independently retrieve their FileVault recovery key).
When configuring the assignment, make sure you select the filter we created in the previous step! By doing so, FileVault will be enabled even before the user completes the Setup Assistant.
💻 Verify on a new Mac
Let’s look at the final result on a brand-new Mac, just out of the box!
If you have followed all the steps:
FileVault will be enabled from the very first boot.
The user will not be able to disable it.
The recovery key will be automatically stored in Intune.
You will be able to retrieve it as an administrator, or the user will be able to retrieve it independently via the Company Portal Web.
📃 Attached documentation
As always, here’s a nice basket of documentation with a summer vibe, so you can dive deeper into all the ways to encrypt Mac disks with FileVault via Intune.
📎 Use FileVault disk encryption for macOS with Intune
📎 Enable FileVault through the Setup Assistant
📫 Conclusions
Mission accomplished! The Mac’s disk is encrypted right from the beginning of the device’s lifecycle in the company, and in a way that is almost completely transparent to the user.
If you want to receive more content like this, subscribe to the ITSpecialist.News newsletter: you’ll find guides, series, and exclusive updates.
Thank you for following me this far, see you in the next episode of “Have you tried turning it off and on again?”.
Riccardo
