The role of Mac file and folder encryption for businesses

The importance of endpoint encryption in a business setting

Encryption ensures that only authorized users can access sensitive data by employing cryptographic algorithms to scramble the data so it can be read with the proper cryptographic key. A user or administrator can encrypt a Mac's individual files, folders or volumes, although most discussions around macOS encryption are concerned with full-disk protections.

Enterprise workers routinely handle sensitive data -- whether financial information, trade secrets, personally identifiable information (PII) or another type -- and they work with the data in a landscape of continual threats. If the information gets into the wrong hands, the organization could face hefty fines, loss of revenue, tarnished reputations, lawsuits and even ruined lives.

Encryption can protect data against a variety of threats, even if the computer is physically compromised. It can even help mitigate the impact of a ransomware attack because many cybercriminals now steal the data along with holding it for ransom.

Although encryption doesn't protect against all threats -- such as malware or insecure networks -- it can reduce the likelihood of sensitive information being compromised if a malicious player is able to access the computer. In fact, encryption, especially full-disk encryption, is one of the best ways to protect data on desktop computers against security threats. Organizations of all sizes should be using encryption to safeguard their macOS computers and other devices if they don't already do so.

In some cases, an organization might not have a choice about whether to encrypt its Mac computers. Privacy laws such as HIPAA, GDPR and the California Consumer Privacy Act, along with industry standards such as the Payment Card Industry Data Security Standard (PCI DSS), often require organizations to take whatever steps necessary to fully safeguard their sensitive information. This usually includes encrypting that data on desktop computers.

What encryption features does macOS offer natively?

Mac computers come with encryption built into the hardware and software. The encrypted content can include system and application files, configuration files and user data such as documents, music and photos. The exact way that encryption is implemented depends on whether the system comes with an Intel processor with the Apple T2 security chip or has an Apple Silicon processor M1 or M2. Apple introduced the T2 security chip in 2018 and the Apple Silicon chip in 2020, so most of today's enterprise Macs fall into one of these two categories.

Mac computers with the Apple T2 security chips provide integrated encryption that relies on a dedicated, hardware-accelerated advanced encryption standard (AES) engine built into the T2 chip. The engine provides fast inline encryption and protects long-lived encryption keys from being exposed to the kernel or CPU, where they can be compromised more easily. For further protection, macOS uses 256-bit keys tied to a unique identifier within the T2 chip.

On macOS computers with Apple silicon, encryption is handled by the Data Protection component, which builds on the system's hardware encryption technologies. Data Protection constructs and manages a hierarchy of keys and implements itself on a per-file basis. Each file is assigned to a class, with accessibility determined by whether the class keys are locked or unlocked.

Data Protection creates a new 256-bit key for each file, stores it in the file's metadata, and gives it to the AES engine, which uses the key to encrypt the file as it is written to disk. All file metadata is encrypted with a random volume key. Encryption keys on an Apple silicon computer are tied to the user's password, so the stronger the password, the stronger the encryption keys.

To support full-disk encryption, macOS includes FileVault, a tool that provides built-in encryption capabilities for securing at-rest data. There is a fair amount of confusion around this tool, however. It's often assumed that FileVault enables or disables encryption, but that is not the case. Today's Mac computers automatically encrypt the entire data volume by default. That said, the volume encryption key is protected only by the hardware UID in the Secure Enclave, a system-on-a-chip that provides a foundation for generating and storing encryption keys.

When FileVault is enabled, however, macOS uses a combination of the user password and hardware UID to encrypt the volume, ensuring a higher degree of protection. No one can read the volume without the proper login credentials or cryptographic recovery key, even if the SSD were removed and installed on another computer. FileVault also requires that the user always provide a password when booting up the computer or after the computer has been in sleep or screensaver mode. If FileVault is not turned on, the data volume can be automatically mounted and decrypted, which could put all the computer's data at risk.

FileVault applies only to full-disk encryption, not individual folders or files. However, Apple provides a few methods for encrypting folders and files. For example, Mac's built-in Disk Utility app lets users encrypt individual folders. Disk Utility will create a password-protected .dmg file that can be mounted on a Mac computer. Although this approach does not support file-level encryption, organizations can use it to encrypt a folder that contains only one file. Users can also encrypt removable media, using either Finder or Disk Utility.

In addition, Mac computers come with several apps that let users encrypt individual files. For example, IT can use Pages or Numbers to encrypt a file by password-protecting it within the app or use Preview to password-protect PDF files. In addition, they can password-protect individual notes in Apple Notes or digitally sign and encrypt email messages in Apple Mail.

Whether or not users encrypt individual folders or files, IT teams should still enable FileVault, which is essential to ensuring maximum security. Even with Mac encryption, folder and file encryption might still be useful to some users -- IT can apply these measures in addition to the full-disk encryption. For example, users may need to share files securely or add an extra layer of protection to their personal data.

Mac encryption in the enterprise

IT teams that manage macOS computers can take advantage of the operating system's built-in mobile device management (MDM) capabilities, which include flexible security policies for protecting sensitive information. Administrators can use these policies to configure FileVault; however, they require an MDM platform such as Jamf Pro, Microsoft Intune, Kandji, VMWare Workspace One or ManageEngine.

IT teams that manage macOS computers can take advantage of the operating system's built-in mobile device management (MDM) capabilities, which include flexible security policies for protecting sensitive information.

With the right MDM, administrators can enable FileVault on their managed macOS computers, either all at the same time or within specific groups. With MDM, FileVault enablement is considered deferred because it requires a user to log in or log out of the computer before the change takes effect.

In addition to enabling FileVault, MDM makes it possible to manage recovery keys and customize encryption-related options. For example, administrators can set how many times a user can defer FileVault enablement, whether users can see their recovery keys, which certificate to use to encrypt the recovery key or whether to prompt users at logout about enabling FileVault.

The exact encryption-related settings depend on the MDM. In Microsoft Intune, for example, administrators can notify users about how and where to retrieve their personal recovery keys or specify how frequently to rotate the personal recovery keys. They can also hide the personal recovery keys from the users or set how many times users can ignore prompts to enable FileVault before it's required.

Jamf Pro also offers support for macOS devices. For instance, the platform lets administrators choose the type of recovery key to use for recovering encrypted data or specify whether to use the computer's management account as the enabled FileVault user. They can also enable FileVault based on which user is logged in.

In the past, IT administrators have been able to use the fdesetup command-line utility to enable and configure FileVault on macOS computers. However, the utility has been deprecated and won't be recognized in future macOS releases. While administrators can still use fdesetup, Apple recommends that they opt for MDM instead so they can define configuration policies for FileVault and other settings.

If administrators want to encrypt individual files or folders on their managed mac computers, they can use the openSSL command-line utility to implement 128-bit or 256-bit AES encryption. One way to use the utility is to create a shell script that runs the necessary openSSL command. They can then use MDM to deploy the script to the macOS computers. For example, Intune lets administrators create a shell script policy that can be applied to the managed systems.

Whether or not IT teams encrypt individual files or folders on their macOS computers, they should still enable FileVault to provide the fullest data protection. Along with this, they should implement MDM password policies that define strong password requirements, which in turn maximizes the strength of the encryption keys associated with the users' logins. Of course, full-disk encryption is only part of a larger security strategy for safeguarding sensitive data, but it is vital to ensure the best protection for managed macOS computers.