empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 00:45:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update disk encryption docs (#15496)

Browse Source 
- Associated w/ this story: #15600 
- Update docs now that disk encryption enforcement is cross platform
(Windows story here: #12577)
- Remove section about resetting a password w/ disk encryption key to
reduce doc content. Remove this link from the UI
This commit is contained in:
Noah Talerman 2023-12-12 15:58:26 -05:00 committed by GitHub
parent 7a1797f621
commit 053582fd88
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 23 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
articles/fleet-4.33.0.md
View File

@ -32,7 +32,7 @@ of compliant devices. This reflects our commitment to creating user-friendly sys
empathy we share for our users' experience and their need for efficient, straightforward tools.
Learn more about [Fleet's "Verified"
status](https://fleetdm.com/docs/using-fleet/mdm-disk-encryption#step-3-confirm-disk-encryption-is-enforced-and-fleet-is-storing-the-disk-encryption-key).
status](https://fleetdm.com/docs/using-fleet/mdm-disk-encryption#disk-encryption-status).
![Verified Status](../website/assets/images/articles/fleet-4.33.0-verified-status-1425x821@2x.png)

62
docs/Using Fleet/MDM-disk-encryption.md
View File

@ -2,30 +2,26 @@
_Available in Fleet Premium_
In Fleet, you can enforce disk encryption on your macOS hosts. Apple calls this [FileVault](https://support.apple.com/en-us/HT204837). If turned on, hosts disk encryption keys will be stored in Fleet.
In Fleet, you can enforce disk encryption for your macOS and Windows hosts.
You can also enforce custom macOS settings. Learn how [here](./MDM-custom-macOS-settings.md).
> Apple calls this [FileVault](https://support.apple.com/en-us/HT204837) and Microsoft calls this [BitLocker](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/).
When disk encryption is enforced, hosts disk encryption keys will be stored in Fleet.
## Enforce disk encryption
To enforce disk encryption and have Fleet collect the disk encryption key, we will do the following steps:
1. Enforce disk encryption
2. Share migrations with end users
2. Confirm disk encryption is enforced and Fleet is storing the disk encryption key
### Step 1: enforce disk encryption
To enforce disk encryption, choose the "Fleet UI" or "fleetctl" method and follow the steps below.
You can enforce disk encryption in the Fleet UI, with Fleet API, or with the fleetctl command-line interface (CLI).
Fleet UI:
1. In the Fleet UI, head to the **Controls > macOS settings > Disk encryption** page. Users with the maintainer and admin roles can access the settings pages.
1. In Fleet, head to the **Controls > OS settings > Disk encryption** page.
2. Choose which team you want to enforce disk encryption on by selecting the desired team in the teams dropdown in the upper left corner. Teams are available in Fleet Premium.
2. Choose which team you want to enforce disk encryption on by selecting the desired team in the teams dropdown in the upper left corner.
3. Check the box next to **Turn on** and select **Save**.
Fleet API: API documentation is [here](../REST%20API/rest-api.md#update-disk-encryption-enforcement)
`fleetctl` CLI:
1. Choose which team you want to enforce disk encryption on.
@ -41,8 +37,7 @@ spec:
team:
name: Workstations (canary)
mdm:
macos_settings:
enable_disk_encryption: true
enable_disk_encryption: true
...
```
@ -53,28 +48,19 @@ apiVersion: v1
kind: config
spec:
mdm:
macos_settings:
enable_disk_encryption: true
enable_disk_encryption: true
...
```
Learn more about configuration options for hosts that aren't assigned to a team [here](./configuration-files/README.md#organization-settings).
3. Set the `mdm.macos_settings.enable_disk_encryption` configuration option to `true`.
3. Set the `mdm.enable_disk_encryption` configuration option to `true`.
4. Run the `fleetctl apply -f workstations-canary-config.yml` command.
> Fleet auto-configures `DeferForceAtUserLoginMaxBypassAttempts` to `1`, ensuring mandatory disk encryption during new Mac setup.
### Step 2: share migration instructions with your end users
### Disk encryption status
In order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must take action. If the host already had disk encryption turned on, the user will need to input their password. If the host did not already have disk encryption turned on, the user will need to log out or restart their computer.
Share [these guided instructions](./MDM-migration-guide.md#how-to-turn-on-disk-encryption) with your end users.
### Step 3: confirm disk encryption is enforced and Fleet is storing the disk encryption key
In the Fleet UI, head to the **Controls > macOS settings > Disk encryption** tab. You will see a table that shows the status of disk encryption on your hosts.
In the Fleet UI, head to the **Controls > OS settings > Disk encryption** tab. You will see a table that shows the status of disk encryption on your hosts.
* Verified: the host turned disk encryption on and sent their key to Fleet. Fleet verified with osquery. See instructions for viewing the disk encryption key [here](#view-disk-encryption-key).
@ -94,31 +80,23 @@ You can click each status to view the list of hosts for that status.
## View disk encryption key
The disk encryption key allows you to reset a macOS host's password if you don't know it. This way, if you plan to prepare a host for a new employee, you can login to it and erase all its content and settings.
The key can be accessed by Fleet admin, maintainers, and observers. An event is tracked in the activity feed when a user views the key in Fleet.
How to view the disk encryption key:
1. Select a host on the **Hosts** page.
2. On the **Host details** page, select **Actions > Show disk encryption key**.
> Whenever a disk encryption key is viewed, an activity will be logged. To view activity in the Fleet UI, click on the Fleet icon in the top navigation bar and make sure **All teams** is selected in the teams dropdown.
## Migrate macOS hosts
## Reset a macOS host's password using the disk encryption key
When migrating macOS hosts another MDM solution, in order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must take action.
How to reset a macOS host's password using the disk encryption key:
If the host already had disk encryption turned on, the user will need to input their password.
1. Restart the host. If you just unlocked a host that was locked remotely, the host will automatically restart.
If the host did not already have disk encryption turned on, the user will need to log out or restart their computer.
2. On the Mac's login screen, enter the incorrect password three times. After the third failed login attempt, the Mac will display a prompt below the password field with the following message: "If you forgot your password, you can reset it using your Recovery Key." Select the right facing arrow at the end of this prompt.
3. Enter the disk encryption key. Note that Apple calls this "Recovery key." Learn how to find a host's disk encryption key [here](#view-disk-encryption-key).
4. The Mac will display a prompt to reset the password. Reset the password and save this password somewhere safe. If you plan to prepare this Mac for a new employee, you'll need this password to erase all content and settings on the Mac.
Share [these guided instructions](./MDM-migration-guide.md#how-to-turn-on-disk-encryption) with your end users.
<meta name="pageOrderInSection" value="1504">
<meta name="title" value="Disk encryption">
<meta name="description" value="Learn how to enforce disk encryption on macOS hosts and manage encryption keys with Fleet Premium.">
<meta name="description" value="Learn how to enforce disk encryption on macOS and Windows hosts and manage encryption keys with Fleet Premium.">
<meta name="navSection" value="Device management">

2
docs/Using Fleet/Scripts.md
View File

@ -36,7 +36,7 @@ Fleet UI:
> Currently, you can only run scripts on macOS and Windows hosts in the Fleet UI. To run a script on a Linux host, use the Fleet API or fleetctl CLI.
Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#run-script)
Fleet API: API documentation is [here](../REST%20API/rest-api.md#run-script)
fleetctl CLI:

12
frontend/pages/hosts/details/HostDetailsPage/modals/DiskEncryptionKeyModal/DiskEncryptionKeyModal.tsx
View File

@ -58,9 +58,6 @@ const DiskEncryptionKeyModal = ({
const recoveryText = isMacOS
? "Use this key to log in to the host if you forgot the password."
: "Use this key to unlock the encrypted drive.";
const recoveryUrl = isMacOS
? "https://fleetdm.com/docs/using-fleet/mdm-disk-encryption#reset-a-macos-hosts-password-using-the-disk-encryption-key"
: "https://fleetdm.com/docs/using-fleet/mdm-disk-encryption#unlock-a-windows-hosts-drive-using-the-disk-encryption-key";
return (
<Modal title="Disk encryption key" onExit={onCancel} className={baseClass}>
@ -70,14 +67,7 @@ const DiskEncryptionKeyModal = ({
<>
<InputFieldHiddenContent value={encrpytionKey ?? ""} />
<p>{descriptionText}</p>
<p>
{recoveryText}{" "}
<CustomLink
text="View recovery instructions"
url={recoveryUrl}
newTab
/>
</p>
<p>{recoveryText} </p>
<div className="modal-cta-wrap">
<Button onClick={onCancel}>Done</Button>
</div>