macOS FileVault Encryption

Macs running Mac OSX 10.10 (Yosemite) or greater are eligible for this service.

Computer encryption for Macs is provided by FileVault2.  Sophos SafeGuard is installed and stores a copy of the FileVault recovery key on a secure central server.

Index:

Changes to your computer with FileVault Encryption

Once your computer has been encrypted with FileVault, you may notice some minor changes to the way things look on your computer.

Power On Authentication (POA) Login Screen

Notice how the login background appears blurry.

Once a Mac has been encrypted you'll notice that you log in right when your computer starts up, this is the power on authentication:

  1. Power on the Mac
  2. The POA login window displays (looks similar to the regular login window but the background picture will appear blurry) and lists the users who are authorized to unlock the computer encryption and start the computer
  3. The authorized user enters their password and hits "enter"
    • Note: An authorized user is the account that encrypted the computer originally. If your computer was setup by SDS this is automatically handled for you.
    • If you notice your account is unavailable, you will need an administrator to add your account manually following the directions below.
  4. OS X will then start and log on the authorized user.


Not all user logins are avaiable (Authorized User Account)

If you attempt to login but cannot find your user account when accessing a computer, it may be that your account isn't an authorized user. You can authorize additional users to power on the Mac. This requires an administrator account and the user to be added must enter their password.

To allow additional users to power on the Mac:

  1. Go to System Preferences > Security & Privacy > FileVault tab
  2. Click the lock in the bottom left corner and enter an administrator's username and password
  3. Click on the Enable Users... button
  4. Select a user to add from the list and click the Enable User... button next to the user name
  5. The selected user must then enter their password
  6. The user is now able to log in after powering on the computer
"Enable Users..." in FileVault options in system preferences

Add additional users to boot your mac via system preferences: Click the apple icon on the top left ->

Alternative Method - Adding Additional Users (Only with FileVault Managed by Sophos SafeGuard)

If you have the Sophos SafeGuard preferences pane visible in System Preferences (pictured below) then there's another method. It requires the credentials of a currently authorized user and the system must have already passed the boot process (authorized user has logged in). 

Add an additional user via Sophos SafeGuard Prompt:

  1. Log the current user out
  2. Log in with user account to be added
  3. While loading, a pop-up window provide a list of currently authorized users, a field to enter one of the authorized users' password, and a password field for the user to be authorized password.
  4. Once entered, that user can now boot and login to the computer as an authorized user
  5. If you're not prompted automatically, please go to the Sophos SafeGuard system preference (pictured below)
  6. Click the "Server" tab and select "Synchronize"
  7. A pop-up window will show up asking for your login password

Still can't add additional users? Get some help

Please submit a ticket to help@ucsc.edu mentioning encryption and "Add FileVault Authorized Users".

Recovery Process

If you forget your OS X logon password, proceed as follows:

  1. Turn on your Mac
  2. In the logon screen click on "?". (Alternatively, enter a wrong logon password three times.)
    Your password hint is displayed and you are asked if you want to reset your password using your recovery key
  3. If you still do not remember your password, click the (?) icon next to the text
  4. Contact your local support technician or email help@ucsc.edu to receive a recovery key
  5. Enter the recovery key
  6. The Mac starts and you are asked to enter a new password and a password hint.

Start the recovery process on a Mac at the POA login window

Where to click to start recovery on a mac

To get the prompt for your recovery key. Click the question mark within the text bar. If it is not visible, try incorrectly entering your password. 

How to confirm Sophos SafeGuard is installed

safeguard_sysprefs

Click the apple icon on the top-left of your computer and select "System Preferences..." You will see the "Sophos Encryption" on the bottom row. You can use this prefences option to check on the status of your encryption and it can be used for troubleshooting.

Get Sophos SafeGuard Version, Sync, and Key status

SafeGuard Version

Follow the steps from "How to confirm Sophos SafeGuard is installed" (above) and select "Sophos SafeGuard"
Under the "About" tab you'll see your version

Sophos SafeGuard Status/preferences macOS

Sync Sophos SafeGuard

From the above image, Select the "Server" tab

SafeGuard macOS sync server

Check the status of your Recovery Key

From the above image, Select the "Disk Encryption" tab

You should see "The system disk is encrypted and a centrally stored recovery key is available."

safeguard macOS recovery key status

Troubleshooting macOS Encryption

SSL Error - The SafeGuard software checks in with the campus’ SafeGuard server every 90 minutes. If for some reason it can’t connect to the server securely it will display this window or something like it. This error can appear if you have an out-of-date certificate in your keychain. Please submit a ticket to help@ucsc.edu mentioning encryption and "SSL error". 

Enable encryption or enroll an additional user - You will see a window like this if the computer is just being encrypted or you've logged into an account that has not been authorized to boot the computer. Please enter your credentials that you use to login to the computer. This is safe.

 

no-valid-recovery.png

Missing FileVault Recovery Key - You will see a pop-up like this on the top-right of your screen if your computer has been encrypted but doesn't have a valid recovery key on our server. Please submit a ticket to help@ucsc.edu mentioning encryption and "No Valid Recovery Key".

 

Error enabling encryption on Mac

Failed to activate encryption on Mac - After entering your password to turn on FileVault encryption through the Sophos SafeGuard prompt, you receive the error "Failed to activate encryption.". Before submitting a help ticket, please check offers available in Bigfix Self-Service for any relating to "SafeGuard" and accept it. Please read the BigFix offer instructions before accepting as your computer may need to restart. Please submit a ticket to help@ucsc.edu mentioning encryption and "failed to activate encryption error on Mac".