Disk Encryption Policy

User can create and deploy a Full Disk Encryption (FDE) policy just like any other MDM policy.

About this task

For details on FDE, see Full Disk Encryption. To create a FDE policy complete the following steps:

Procedure

  1. From the WebUI main screen, click Apps > MCM and on the top right corner, click Create Policy
  2. From the list of policy types, select Disk Encryption

  3. On the Disk Encryption Policy page, enter the required information.

    Windows
    If you select Windows for Operating System, provide the following information. You must configure if you want a Client UI offer (if available) or to just restart immediately.

    • Windows Disk Encryption Policy
      • Require Device Encryption: Select this to enforce disk encryption. This is selected by default.
      • Fixed Drives Require Encryption: This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. If not encrypted, the fixed drives remain Read-Only.
      • Removable Drives Require Encryption: This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If not encrypted, the removable drives remain Read-Only.
    • System Drives Recovery Message: This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
      • Preboot Recovery Mode
        • Disabled
        • Default
        • Custom Message
        • Custom URL
      • Recovery Message: Recovery message is displayed in the BitLocker recovery page.
      • Recovery URL
    macOS
    If you select macOS for Operating System provide the following information:
    • MacOS Disk Encryption Policy
      • Recovery Key Output Path which is an optional field where you can provide a path where the recovery key information is stored.
      • Recovery Key Escrow Location: The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault. Required field. Enter a message that can be displayed to the user about from where to get the recovery key. For example, support helpdesk.
    Note: Enabling full disk encryption on macOS devices disables auto-login. For more information, read Apple official documentation at https://support.apple.com/en-us/HT201476 and https://support.apple.com/en-us/HT204837.
  4. Click Save.