Skip to content

Commit

Permalink
Merging changes synced from https://github.com/MicrosoftDocs/memdocs-pr
Browse files Browse the repository at this point in the history 
… (branch live)
  • Loading branch information
Learn Build Service GitHub App authored and Learn Build Service GitHub App committed Oct 25, 2024
2 parents 69a54d0 + 824b9fa commit f6d36e8
Show file tree
Hide file tree
Showing 4 changed files with 67 additions and 66 deletions.
123 changes: 62 additions & 61 deletions memdocs/intune/protect/encrypt-devices-filevault.md
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
---
# required metadata
title: Encrypt macOS devices with FileVault disk encryption with Intune
title: Encrypt macOS FileVault disk encryption with Intune policy
titleSuffix: Microsoft Intune
description: Use Microsoft Intune encryption policy to encrypt macOS devices with FileVault, and manage recovery keys for encrypted macOS devices from within the Microsoft Intune admin center.
description: Use Microsoft Intune policy to configure FileVault on macOS devices, and use the admin center to manage their recovery keys.
keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
ms.date: 06/21/2024
ms.date: 10/25/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
ms.localizationpriority: high
ms.assetid:
ms.assetid:

# optional metadata

Expand All @@ -30,7 +30,7 @@ ms.collection:

---

# Use FileVault disk encryption for macOS with Intune
# Use FileVault disk encryption for macOS with Intune

Use Microsoft Intune to configure and manage macOS FileVault disk encryption. FileVault is a whole-disk encryption program that is included with macOS. With Intune you can deploy policies that configure FileVault, and then manage recovery keys on devices that run **macOS 10.13 or later**.

Expand Down Expand Up @@ -66,62 +66,18 @@ You can add this permission and right to your own [custom RBAC roles](../fundame
- Help Desk Operator
- Endpoint Security Administrator

## Create device configuration policy for FileVault

1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

2. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**.

3. On the **Create a profile** page, set the following options, and then select **Create**:
- **Platform**: macOS
- **Profile type**: Templates
- **Template name**: Endpoint protection

:::image type="content" source="./media/encrypt-devices-filevault/select-macos-filevault-dc.png" alt-text="Select the Endpoint protection profile.":::

4. On the **Basics** page, enter the following properties:

- **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform.

- **Description**: Enter a description for the policy. This setting is optional, but recommended.

5. On the **Configuration settings** page, select **FileVault** to expand the available settings:

:::image type="content" source="./media/encrypt-devices-filevault/filevault-settings.png" alt-text="FileVault settings.":::

6. Configure the following settings:

- For *Enable FileVault*, select **Yes**.

- For *Recovery key type*, select **Personal key**.

- For *Escrow location description of personal recovery key*, add a message to help guide users on [how to retrieve the recovery key](#retrieve-a-personal-recovery-key) for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.

For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to *Devices* and select the device that has FileVault enabled, and then select *Get recovery key*. The current recovery key is displayed.

Configure the remaining [FileVault settings](endpoint-protection-macos.md#filevault) to meet your business needs, and then select **Next**.

7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the Select tags pane to assign scope tags to the profile.

Select **Next** to continue.

8. On the **Assignments** page, select groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles.
Select **Next**.

9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.

## Create endpoint security policy for FileVault

1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

2. Select **Endpoint security** > **Disk encryption** > **Create Policy**.

1. On the **Basics** page, enter the following properties, and then choose **Next**.
- **Platform**: macOS
- **Profile**: FileVault
3. On the **Basics** page, enter the following properties, and then choose **Next**.
- **Platform**: macOS
- **Profile**: FileVault

![Select the FileVault profile](./media/encrypt-devices-filevault/select-macos-filevault-es.png)

4. On the **Configuration settings** page:
1. Set *Enable FileVault* to **Yes**.
2. For *Recovery key type*, only **Personal Recovery Key** is supported.
Expand Down Expand Up @@ -172,7 +128,7 @@ Select **Next**.

7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile. Select **Next** to continue.

8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles. Select **Next**.
8. On the **Assignments** page, select the groups that receive this profile. For more information on assigning profiles, see Assign user and device profiles. Select **Next**.

9. On the **Review + create** page, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.

Expand All @@ -187,16 +143,61 @@ For devices that run macOS 14 and later, your settings catalog policy can also e
- When *Await final Configuration* set to *Yes* for a device, you can then add the following Full Disk Encryption setting for FileVault in your settings catalog profile

- FileVault > **Force Enable in Setup Assistant** – Set to **Enabled**.

The following image shows the settings catalog profile configured with the core settings to enable FileVault and use the Setup Assistant to enforce encryption. In this example, the Location setting uses the simple name of our domain, *Contoso*:



> [!IMPORTANT]
> The **Defer** setting must be configured to **Enabled** to successfully enable FileVault in Setup Assistant for devices running macOS 14.4.
:::image type="content" source="./media/encrypt-devices-filevault/filevault-setup-assistant-configuration.png" alt-text="Screenshot of the settings needed to enable File Vault in Setup Assistant.":::

## Create device configuration policy for FileVault (Deprecated)

> [!NOTE]
> The macOS template for Endpoint Protection is deprecated and no longer supports creating new profiles. Instead, use the [Endpoint security](#create-endpoint-security-policy-for-filevault) or the [settings catalog](#create-settings-catalog-policy-for-filevault) to configure and manage new FileVault profiles.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

2. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**.

3. On the **Create a profile** page, set the following options, and then select **Create** > **New policy**:
- **Platform**: macOS
- **Profile type**: Templates
- **Template name**: Endpoint protection (Deprecated)

:::image type="content" source="./media/encrypt-devices-filevault/select-macos-filevault-dc.png" alt-text="Screen shot that displays the the Endpoint protection profile.":::

4. On the **Basics** page, enter the following properties:

- **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform.

- **Description**: Enter a description for the policy. This setting is optional, but recommended.

5. On the **Configuration settings** page, select **FileVault** to expand the available settings:

:::image type="content" source="./media/encrypt-devices-filevault/filevault-settings.png" alt-text="Screen shot that displays FileVault settings.":::

6. Configure the following settings:

- For *Enable FileVault*, select **Yes**.

- For *Recovery key type*, select **Personal key**.

- For *Escrow location description of personal recovery key*, add a message to help guide users on [how to retrieve the recovery key](#retrieve-a-personal-recovery-key) for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.

For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to *Devices* and select the device that has FileVault enabled, and then select *Get recovery key*. The current recovery key is displayed.

Configure the remaining [FileVault settings](endpoint-protection-macos.md#filevault) to meet your business needs, and then select **Next**.

7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the Select tags pane to assign scope tags to the profile.

Select **Next** to continue.

8. On the **Assignments** page, select groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles.
Select **Next**.

9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.

## Manage FileVault

To view information about devices that receive FileVault policy, see [Monitor disk encryption](../protect/encryption-monitor.md).
Expand Down Expand Up @@ -224,7 +225,7 @@ Intune can’t manage FileVault disk encryption on a macOS device that is encryp
- [Upload a personal recovery key to Intune](#upload-a-personal-recovery-key) – Use this method when the user knows their personal recovery key.
- [The user generates a new recovery key on the device](#generate-a-new-recovery-key-on-the-device) – Use this method if the personal recovery key isn’t known by the user.

Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, you can use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault.
Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault).

#### Upload a personal recovery key

Expand All @@ -238,7 +239,7 @@ Upon upload, Intune rotates the key to create a new personal recovery key. Intun

Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption.

Use either an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault.
Use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), to encrypt devices with FileVault.

- **The user who encrypted the device must have access to their personal recovery key for the device and be directed to upload it to Intune.**

Expand Down Expand Up @@ -271,7 +272,7 @@ To enable Intune to manage FileVault on a previously encrypted device, the user

Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption.

Use either an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault.
Use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault) to encrypt devices with FileVault.

- **The device user must have access to the Terminal app on the encrypted device.**

Expand Down
6 changes: 4 additions & 2 deletions memdocs/intune/protect/endpoint-protection-macos.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
ms.date: 08/15/2022
ms.date: 10/25/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
Expand All @@ -32,7 +32,9 @@ ms.collection:
# macOS endpoint protection settings in Intune

> [!IMPORTANT]
> The macOS endpoint protection template has been deprecated. Existing policies remain unchanged, but you can no longer create new policies using this template. We recommend using the settings catalog to create new configuration policies for FileVault, Firewall, and System Policy Control (Gatekeeper) payloads. For more information, see [macOS settings catalog](../configuration/settings-catalog.md).
> The macOS endpoint protection template has been deprecated. Existing policies remain unchanged, but you can no longer create new policies using this template. > Instead, use one of the following options:
> - Use Endpoint security policies like [disk encryption](../protect/endpoint-security-disk-encryption-policy.md) for Filevault, or [Firewall](../protect/endpoint-security-firewall-policy.md) policy.
> - Use the Settings catalog to create new configuration policies for FileVault, Firewall, and System Policy Control (Gatekeeper) payloads. For more information, see [macOS settings catalog](../configuration/settings-catalog.md).
This article shows you the endpoint protection settings that you can configure for devices that run macOS. You configure these settings by using a macOS device configuration profile for [endpoint protection](endpoint-protection-configure.md) in Intune.

Expand Down
Binary file modified ...cs/intune/protect/media/encrypt-devices-filevault/select-macos-filevault-dc.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 1 addition & 3 deletions windows-365/enterprise/report-cloud-pc-recommendations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,9 @@ An evolving model analyzes this data to determine whether Cloud PCs are:
- Under-used.
- Sized appropriately.

The Cloud PC recommendations report is in [public preview](..\public-preview.md).

## Use the Cloud PC recommendations report

To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations (preview)**.
To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations**.

![Screenshot of Cloud PC recommendation report.](media/report-cloud-pc-recommendations/report-cloud-pc-recommendations.png)

Expand Down

0 comments on commit f6d36e8

Please sign in to comment.