From f721e0daf56c17987f6b2b4118fb5e257f6ce413 Mon Sep 17 00:00:00 2001 From: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Date: Fri, 3 Feb 2023 10:37:02 -0500 Subject: [PATCH] Docs: Add disk encryption section to MDM page - Add disk encryption section - Update transparency section of website under here's what osquery can see on your device > file contents dropdown --- docs/Using-Fleet/Mobile-device-management.md | 50 +++++++++++++++++++- website/views/pages/transparency.ejs | 3 +- 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/docs/Using-Fleet/Mobile-device-management.md b/docs/Using-Fleet/Mobile-device-management.md index 9a85a7d384..2b80071039 100644 --- a/docs/Using-Fleet/Mobile-device-management.md +++ b/docs/Using-Fleet/Mobile-device-management.md @@ -80,5 +80,53 @@ Fleet UI: The Apple Business Manager server token expires after a year or whenever the account that downloaded the token has their password changed. To renew the token, follow the [instructions documented in this FAQ](https://fleetdm.com/docs/using-fleet/faq#how-can-i-renew-my-apple-business-manager-server-token). +## Disk encryption - +In Fleet, you can turn on disk encryption on your macOS hosts. Apple calls this [FileVault](https://support.apple.com/en-us/HT204837). If turned on, hosts’ disk encryption keys will be stored in Fleet. + +The disk encryption key allows you to unlock a Mac if you forgot login credentials. This key can be accessed by Fleet admin, maintainers, and observers. An event is tracked in the activity feed when a user views the key in Fleet. + +### Viewing a disk encryption key + +To view the disk encryption key, select a host on the **Hosts** page. On the **Host details** page, select **Actions > Show disk encryption key**. + +### Unlock a device using the disk encryption key + +1. Restart the device while holding Command + R + +2. Open Terminal + +3. Unlock the disk encryption key by executing a command similar to: +``` +security unlock-keychain +``` + +4. Locate the Logical Volume UUID of the encrypted disk by executing: +``` +diskutil cs list +``` + +5. Unlock the encrypted drive with the Logical Volume UUID and disk encryption key by executing a command similar to: +``` +diskutil cs unlockVolume -recoveryKeychain +``` +6. Turn off disk encryption by executing a command similar to: +``` +diskutil cs revert -recoveryKeychain +``` + +Once successful, you can reset the account password using the Reset Password utility and recover data by either logging in to the user’s account or using the command line. + +1. Restart the device while pressing Command + R. + +2. Open Terminal and launch the Reset Password utility by executing: +``` +resetpassword +``` + +3. Use the Reset Password utility to reset the account’s password. + +4. Restart the computer and log in using the new password. + + \ No newline at end of file diff --git a/website/views/pages/transparency.ejs b/website/views/pages/transparency.ejs index 061032fba8..d481c6a452 100644 --- a/website/views/pages/transparency.ejs +++ b/website/views/pages/transparency.ejs @@ -105,7 +105,8 @@

- In the case of a cyber attack, it is possible with osquery to gain read access to files on your system. This is not a feature designed for privacy invasion, but rather a means for security teams to locate files on your device that may have been created or affected by a malicious virus. + In the case of a cyber attack, it is possible with osquery to gain read access to files on your system. This is not a feature designed for privacy invasion, but rather a means for security teams to locate files on your device that may have been created or affected by a malicious virus.

+ Additionally, Fleet can be configured to store disk encryption keys that can be used to recover encrypted data from a macOS device.