FileVault product settings

The product policies provide you the settings that are required for FileVault management, password settings, and client messaging.

Table 1: Option definitions
Option Definition
FileVault Management Manage FileVault — Allows you to manage FileVault and receive reports from the client system.
  • Turn On (Enable) FileVault — When enforced, will turn on FileVault on client systems if not already enabled and then manage accordingly. The client systems also report the status to McAfee ePO.

    When you turn on FileVault and enforce this policy to the required client systems, users will see a pop-up message on their client systems requesting that they restart the system. The user must restart the system to enable FileVault to encrypt the system managed by McAfee ePO, or choose to postpone the restart until a more convenient time.

    • Destroy FileVault key in standby mode — The FileVault recovery key will be removed from memory when a system goes into a standby mode. This defends against memory related attacks during various sleep states. Resuming from the sleep mode will force a user authentication to bring the key back into memory.
    • Generate a new FileVault key in days __ (1-360) — Enable this option and specify how frequently the recovery key is to be rotated. This improves security by reducing the validity period of each individual recovery key.
    • Allows users to import recovery key on client — Enable this option to allow users to import the recovery key on client systems. This is useful if end users use theFileVault application to generate new recovery keys.
    • Prompt user to create a new recovery key on already enabled systems — If FileVault is already enabled by the user when MNE policy is enforced, the client system will prompt the user to authenticate using their FileVault password. Once authenticated, the recovery key of the client system can be queried from FileVault and will be escrowed to the McAfee ePO database.
      Note: If users ignore this request, then recovery of their system cannot be achieved as no recovery key can be escrowed to McAfee ePO; FileVault will only release the current recovery key if authentication is provided.
    • Only enable FileVault if DEGO tests pass — If the user has installed the Drive Encryption GO (DEGO) - OSX 2.1.0.xxx on the Mac client system, then FileVault will be enabled only if DEGO tests pass.
      Note: Make sure that you have already installed EEGO.zip (DEGO extension) before enabling this option. For more information about the DEGO extension, refer McAfee Drive Encryption 7.1 Product Guide.
    • Restart timeout period in minutes __ (1-60) — Defines the length of the restart timeout period.
  • Turn Off (Disable) FileVault — When enforced, will turn off FileVault on client systems. Client systems status will continue to be reported in McAfee ePO.
    Note: On enabling this option, the Password Settings and Client Messaging functions get disabled.
Do not manage FileVault — When enforced, MNE will not manage FileVault.
  • Report client system status — When enforced, MNE will not manage FileVault, but will report FileVault status and security posture data to McAfee ePO allowing you to manage FileVault with a third party management tool, yet report status within McAfee ePO. This can be useful to report on BYOD (Bring Your Own Device) or contractor laptops to monitor compliance to company encryption policies.

If FileVault is managed by MNE, or if report-only mode is selected, the client system reports the following information to McAfee ePO:

  • FileVault status
  • FileVault mode
  • System information
  • System encryption status
  • FIPS status
Password Settings

Apply password content rules — Allows you to set password settings on to OS X, which will enforce these password settings on the client system.

  • Minimum length __ (4-40) — The user must create a password of the specified minimum length.
  • Maximum length __ (4-255) — The user must create a password of the specified maximum length.

  • Require at least one alphabetic character in password — The user must include at least one alphabetic character in creating the password.
  • Require at least one numeric character in password — The user must include at least one numeric character in creating the password.
  • Require password change after days __ (1-180) — The user must change the password after the specified number of days.
  • Do not apply password content rules to these users (separate users with a semi-colon, for example, user1; user2) — Type the username (in short name) of users to make sure the password settings do not apply to the specified users.
Client Messaging Display the following message, instead of the default, when enabling FileVault — The user receives this message when FileVault is enabled. If left empty, a default message will be provided.

Display the following login banner — Enable this option and provide a login banner for the user to receive this login banner after authenticating into FileVault.

Display the following message, instead of the default, when FileVault has been disabled by 3rd party application or user — The user receives this message if FileVault is disabled by anything other than MNE. If left empty, a default message will be provided.

Duplicate Duplicates or copies the policy settings with a different name and this can be assigned to a different user.
Save Saves the product settings policy of MNE.
Cancel Exits the current page.