simonft
commented
4 years ago Looks like this is an issue in OS query. There doesn't seem to be a better way to get this info: https://github.com/osquery/osquery/issues/5223
Open simonft opened 4 years ago
simonft
commented
4 years ago Looks like this is an issue in OS query. There doesn't seem to be a better way to get this info: https://github.com/osquery/osquery/issues/5223
On OSX machines with the new T2 chip the disk is reported as encrypted whether or not filevault is on. This is because it is encrypted - with the T2 chip. https://support.apple.com/en-us/HT208344
However, with filevault turned on the disk is just encrypted with the hardware ID in the secure enclave, which means you can still access the data without the disk password. I was able to reset the password and access the data of a 2019 MacBook Air which flock-agent reported as having disk encryption.
This thread claims target disk mode also allows data access even with encryption enabled: https://forums.macrumors.com/threads/filevault-needed-on-a-mbp-2019-with-t2-chip.2207855/?post=27916788#post-27916788