diff --git a/memdocs/intune/protect/encrypt-devices-filevault.md b/memdocs/intune/protect/encrypt-devices-filevault.md index 1d0b5bb4cc..03a605115c 100644 --- a/memdocs/intune/protect/encrypt-devices-filevault.md +++ b/memdocs/intune/protect/encrypt-devices-filevault.md @@ -1,18 +1,18 @@ --- # required metadata -title: Encrypt macOS devices with FileVault disk encryption with Intune +title: Encrypt macOS FileVault disk encryption with Intune policy titleSuffix: Microsoft Intune -description: Use Microsoft Intune encryption policy to encrypt macOS devices with FileVault, and manage recovery keys for encrypted macOS devices from within the Microsoft Intune admin center. +description: Use Microsoft Intune policy to configure FileVault on macOS devices, and use the admin center to manage their recovery keys. keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 06/21/2024 +ms.date: 10/25/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect ms.localizationpriority: high -ms.assetid: +ms.assetid: # optional metadata @@ -30,7 +30,7 @@ ms.collection: --- -# Use FileVault disk encryption for macOS with Intune +# Use FileVault disk encryption for macOS with Intune Use Microsoft Intune to configure and manage macOS FileVault disk encryption. FileVault is a whole-disk encryption program that is included with macOS. With Intune you can deploy policies that configure FileVault, and then manage recovery keys on devices that run **macOS 10.13 or later**. @@ -66,62 +66,18 @@ You can add this permission and right to your own [custom RBAC roles](../fundame - Help Desk Operator - Endpoint Security Administrator -## Create device configuration policy for FileVault - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -2. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**. - -3. On the **Create a profile** page, set the following options, and then select **Create**: - - **Platform**: macOS - - **Profile type**: Templates - - **Template name**: Endpoint protection - - :::image type="content" source="./media/encrypt-devices-filevault/select-macos-filevault-dc.png" alt-text="Select the Endpoint protection profile."::: - -4. On the **Basics** page, enter the following properties: - - - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform. - - - **Description**: Enter a description for the policy. This setting is optional, but recommended. - -5. On the **Configuration settings** page, select **FileVault** to expand the available settings: - - :::image type="content" source="./media/encrypt-devices-filevault/filevault-settings.png" alt-text="FileVault settings."::: - -6. Configure the following settings: - - - For *Enable FileVault*, select **Yes**. - - - For *Recovery key type*, select **Personal key**. - - - For *Escrow location description of personal recovery key*, add a message to help guide users on [how to retrieve the recovery key](#retrieve-a-personal-recovery-key) for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically. - - For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to *Devices* and select the device that has FileVault enabled, and then select *Get recovery key*. The current recovery key is displayed. - - Configure the remaining [FileVault settings](endpoint-protection-macos.md#filevault) to meet your business needs, and then select **Next**. - -7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the Select tags pane to assign scope tags to the profile. - - Select **Next** to continue. - -8. On the **Assignments** page, select groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles. -Select **Next**. - -9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. - ## Create endpoint security policy for FileVault 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Endpoint security** > **Disk encryption** > **Create Policy**. -1. On the **Basics** page, enter the following properties, and then choose **Next**. -- **Platform**: macOS -- **Profile**: FileVault +3. On the **Basics** page, enter the following properties, and then choose **Next**. + - **Platform**: macOS + - **Profile**: FileVault ![Select the FileVault profile](./media/encrypt-devices-filevault/select-macos-filevault-es.png) - + 4. On the **Configuration settings** page: 1. Set *Enable FileVault* to **Yes**. 2. For *Recovery key type*, only **Personal Recovery Key** is supported. @@ -172,7 +128,7 @@ Select **Next**. 7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile. Select **Next** to continue. -8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles. Select **Next**. +8. On the **Assignments** page, select the groups that receive this profile. For more information on assigning profiles, see Assign user and device profiles. Select **Next**. 9. On the **Review + create** page, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. @@ -187,16 +143,61 @@ For devices that run macOS 14 and later, your settings catalog policy can also e - When *Await final Configuration* set to *Yes* for a device, you can then add the following Full Disk Encryption setting for FileVault in your settings catalog profile - FileVault > **Force Enable in Setup Assistant** – Set to **Enabled**. - + The following image shows the settings catalog profile configured with the core settings to enable FileVault and use the Setup Assistant to enforce encryption. In this example, the Location setting uses the simple name of our domain, *Contoso*: - - > [!IMPORTANT] > The **Defer** setting must be configured to **Enabled** to successfully enable FileVault in Setup Assistant for devices running macOS 14.4. - + :::image type="content" source="./media/encrypt-devices-filevault/filevault-setup-assistant-configuration.png" alt-text="Screenshot of the settings needed to enable File Vault in Setup Assistant."::: +## Create device configuration policy for FileVault (Deprecated) + +> [!NOTE] +> The macOS template for Endpoint Protection is deprecated and no longer supports creating new profiles. Instead, use the [Endpoint security](#create-endpoint-security-policy-for-filevault) or the [settings catalog](#create-settings-catalog-policy-for-filevault) to configure and manage new FileVault profiles. + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +2. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**. + +3. On the **Create a profile** page, set the following options, and then select **Create** > **New policy**: + - **Platform**: macOS + - **Profile type**: Templates + - **Template name**: Endpoint protection (Deprecated) + + :::image type="content" source="./media/encrypt-devices-filevault/select-macos-filevault-dc.png" alt-text="Screen shot that displays the the Endpoint protection profile."::: + +4. On the **Basics** page, enter the following properties: + + - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform. + + - **Description**: Enter a description for the policy. This setting is optional, but recommended. + +5. On the **Configuration settings** page, select **FileVault** to expand the available settings: + + :::image type="content" source="./media/encrypt-devices-filevault/filevault-settings.png" alt-text="Screen shot that displays FileVault settings."::: + +6. Configure the following settings: + + - For *Enable FileVault*, select **Yes**. + + - For *Recovery key type*, select **Personal key**. + + - For *Escrow location description of personal recovery key*, add a message to help guide users on [how to retrieve the recovery key](#retrieve-a-personal-recovery-key) for their device. This information can be useful for your users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically. + + For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to *Devices* and select the device that has FileVault enabled, and then select *Get recovery key*. The current recovery key is displayed. + + Configure the remaining [FileVault settings](endpoint-protection-macos.md#filevault) to meet your business needs, and then select **Next**. + +7. If applicable, on the **Scope (Tags)** page, choose **Select scope tags** to open the Select tags pane to assign scope tags to the profile. + + Select **Next** to continue. + +8. On the **Assignments** page, select groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles. +Select **Next**. + +9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. + ## Manage FileVault To view information about devices that receive FileVault policy, see [Monitor disk encryption](../protect/encryption-monitor.md). @@ -224,7 +225,7 @@ Intune can’t manage FileVault disk encryption on a macOS device that is encryp - [Upload a personal recovery key to Intune](#upload-a-personal-recovery-key) – Use this method when the user knows their personal recovery key. - [The user generates a new recovery key on the device](#generate-a-new-recovery-key-on-the-device) – Use this method if the personal recovery key isn’t known by the user. -Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, you can use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault. +Both methods require that the device has active policy from Intune that manages FileVault encryption. To deliver this policy, use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault). #### Upload a personal recovery key @@ -238,7 +239,7 @@ Upon upload, Intune rotates the key to create a new personal recovery key. Intun Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption. - Use either an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault. + Use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), to encrypt devices with FileVault. - **The user who encrypted the device must have access to their personal recovery key for the device and be directed to upload it to Intune.** @@ -271,7 +272,7 @@ To enable Intune to manage FileVault on a previously encrypted device, the user Before Intune can assume management of encryption of a user-encrypted device, that device must receive an Intune FileVault policy for disk encryption. - Use either an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault), or a [device configuration endpoint protection profile](#create-device-configuration-policy-for-filevault) to encrypt devices with FileVault. + Use an [endpoint security disk encryption profile](#create-endpoint-security-policy-for-filevault) to encrypt devices with FileVault. - **The device user must have access to the Terminal app on the encrypted device.** diff --git a/memdocs/intune/protect/endpoint-protection-macos.md b/memdocs/intune/protect/endpoint-protection-macos.md index 6363abf7bf..3f6f088911 100644 --- a/memdocs/intune/protect/endpoint-protection-macos.md +++ b/memdocs/intune/protect/endpoint-protection-macos.md @@ -7,7 +7,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 08/15/2022 +ms.date: 10/25/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -32,7 +32,9 @@ ms.collection: # macOS endpoint protection settings in Intune > [!IMPORTANT] -> The macOS endpoint protection template has been deprecated. Existing policies remain unchanged, but you can no longer create new policies using this template. We recommend using the settings catalog to create new configuration policies for FileVault, Firewall, and System Policy Control (Gatekeeper) payloads. For more information, see [macOS settings catalog](../configuration/settings-catalog.md). +> The macOS endpoint protection template has been deprecated. Existing policies remain unchanged, but you can no longer create new policies using this template. > Instead, use one of the following options: +> - Use Endpoint security policies like [disk encryption](../protect/endpoint-security-disk-encryption-policy.md) for Filevault, or [Firewall](../protect/endpoint-security-firewall-policy.md) policy. +> - Use the Settings catalog to create new configuration policies for FileVault, Firewall, and System Policy Control (Gatekeeper) payloads. For more information, see [macOS settings catalog](../configuration/settings-catalog.md). This article shows you the endpoint protection settings that you can configure for devices that run macOS. You configure these settings by using a macOS device configuration profile for [endpoint protection](endpoint-protection-configure.md) in Intune. diff --git a/memdocs/intune/protect/media/encrypt-devices-filevault/select-macos-filevault-dc.png b/memdocs/intune/protect/media/encrypt-devices-filevault/select-macos-filevault-dc.png index 508706d668..5ed1319e5a 100644 Binary files a/memdocs/intune/protect/media/encrypt-devices-filevault/select-macos-filevault-dc.png and b/memdocs/intune/protect/media/encrypt-devices-filevault/select-macos-filevault-dc.png differ diff --git a/windows-365/enterprise/report-cloud-pc-recommendations.md b/windows-365/enterprise/report-cloud-pc-recommendations.md index b790a3ed7d..d58276759b 100644 --- a/windows-365/enterprise/report-cloud-pc-recommendations.md +++ b/windows-365/enterprise/report-cloud-pc-recommendations.md @@ -42,11 +42,9 @@ An evolving model analyzes this data to determine whether Cloud PCs are: - Under-used. - Sized appropriately. -The Cloud PC recommendations report is in [public preview](..\public-preview.md). - ## Use the Cloud PC recommendations report -To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations (preview)**. +To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations**. ![Screenshot of Cloud PC recommendation report.](media/report-cloud-pc-recommendations/report-cloud-pc-recommendations.png)