ITSS strongly recommends the use of encryption for staff laptops and other devices. This practice provides safeguards to ensure confidential information remains protected.  For iOS devices (e.g. iPhone, iPad) encryption is automatic upon the creation of a pass-code on the device. For OS X devices (e.g. laptops, desktops) Apple provides a built in encryption solution called File Vault 2. This feature is a simple process to activate with minimal impact on the user. We also recommend the practice of encrypting external drives. See instructions for both of these below.

 Please note: As of March 2016 any staff OS X device that is handled by ITSS (i.e. newly purchased or brought in for maintenance) will have File Vault activated before they leave the shop. Once enabled, encryption cannot be turned off.

  • Login to your administrator level account (e.g. teacher, local admin, YESNET Active Directory account). File Vault cannot be enabled on student or guest accounts.
  • Go to System Preferences>Security & Privacy>File Vault

security

 

 

 

 

 

 

 

 

 

 

 

  • Click the padlock to allow changes. Click Turn on File Vault. Enter your password when prompted.

turn-on-filevault

 

 

 

 

 

 

 

 

 

 

 

 

 

  • You will receive a notice that a recovery key has been sent to your organization. For further information see footnote (*) below.
  • The hard drive encryption will begin. Please note the machine will need to plugged into power. The process can take up to 12 hours for a regular hard drive. Solid State Drives (common to Macbook Airs and newer Macbook Pros) will be faster. You may continue to use the machine while the encryption is running but you can expect slower performance during this period.
  • The machine will restart. A user icon will appear almost immediately prompting for that account’s password. Type in your password, unlocking the hard drive and the machine will then boot.
  • After encryption is completed, the only impact on the user will be the requirement for the user to enter in their password upon turning the machine on.

For further information regarding File Vault please see: https://support.apple.com/en-ca/HT204837

*The recovery key can be used as a failsafe to unlock the hard drive in the event the user misplaces the password. In this event, contact ITSS to obtain the recovery key.

 

If desired, you may add other user accounts to allow them to unlock the hard drive.

  • Go to System Preferences>Security & Privacy>File Vault.
  • Select Enable Other Users.
  • Add desired users.

filevault

 

 

 

 

 

 

 

 

 

 

Encrypting external drives in OS X is an easy process but with some limitations.

  • Insert your external drive (e.g. flash stick, LACIE drive etc.) into your machine.
  • Once the volume appears on your desktop, right click the icon. Select Encrypt drive.

Screen Shot 2016-03-18 at 11.16.57 AM

 

 

 

 

 

 

 

 

  • You will be prompted to create a password. Click encrypt disk to begin.

Screen Shot 2016-03-18 at 11.17.12 AM

 

 

 

 

 

 

 

 

 

  • Depending on the size and format of the volume you are encrypting, allow for an hour or so until the process is completed.
  • Once it is completed, eject the volume and reinsert. You will be immediately prompted for a password to access the disk.
A word about Disk Formats

Encyrption via the above method will only work if the volume is formatted with a Mac OS Extended disk format. The downside of this requirement is that the disk is essentially only readable by Mac Devices.

If you receive an error such as this:

Screen Shot 2016-03-18 at 11.17.47 AM

 

 

 

 

 

 

You will need to open Disk Utility and format the external volume to Mac OS Extended format.

Go to the Magnifying Glass icon on the top right of the desktop. Search for Disk Utility. Open the application.

Screen Shot 2016-03-18 at 11.19.26 AM

 

 

 

 

 

 

 

 

 

IMPORTANT! – Make sure you select the External Disk (See above).

  • Select Erase.
  • Select Mac OS Extended (Journalled) format.
  • The disk will be reformatted and after this is completed it is ready for encryption.