Enforce disk encryption when macOS hosts automatically enroll

pacamaster commented 5 months ago

Goal

User story
As an IT admin that turns on MDM features,
I want Fleet to enforce disk encryption on my hosts by default
so that disk encryption is enforced on my hosts.

Context

Product designer: @noahtalerman

To use ForceEnableInSetupAssistant, Await Device Configured DEP configuration must be enabled (which is already the case in Fleet). FileVault profile must be installed before sending the DeviceConfiguredCommand.

Changes

Product

[ ] Other changes: Change FileVault profile that's sent to hosts to include ForceEnableInSetupAssistant as true
- Goal: If the “Pending” host’s team has disk encryption on, disk encryption is enforced at enrollment. Let’s say my default team has disk encryption off and I transfer a “Pending” host to a different team that has disk encryption on. I expect the host to have disk encryption enforced during enrollment.
[ ] Outdated documentation changes: Add info that disk encryption is enforced during enrollment (automatic).

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

JoStableford commented 5 months ago

Related to a Slack conversation

nonpunctual commented 5 months ago

Adding a little color...

Apple at WWDC 2023 announced the following improvements:

macOS 14 allows MDM to require FileVault enablement during Setup Assistant. The recovery key can then be shared with the end user during setup or managed by the MDM system.

MDM can require the device to be on a specific operating system version in order to enroll, which means a user can’t access company services until they update. This works using JSON to inform MDM of the OS a device is running. If a new version is required, the user will be guided through the update process.

This is the 1st time since FV2 was added that FV could be enabled WITHOUT USER INTERACTION, ie., it is in the control of the organization that owns the device instead of being SET by the org but user-enabled. We should follow the platforms leads on these types of features if possible.

noahtalerman commented 5 months ago

macOS 14 allows MDM to require FileVault enablement during Setup Assistant.

MDM can require the device to be on a specific operating system version in order to enroll, which means a user can’t access company services until they update

@nonpunctual do you know what the mechanisms is for these features?

Is it a property in the automatic enrollment (DEP) profile? Wondering if we already support this...

noahtalerman commented 5 months ago

Seems like there's two problems here:

Enforce disk encryption for all hosts on a team without having to turn it on. (Grant)
Enforce disk encryption for all hosts that automatically enroll during the out-of-the-box setup.(Brock)

Let's bring both to feature fest.

nonpunctual commented 5 months ago

macOS 14 allows MDM to require FileVault enablement during Setup Assistant.

@nonpunctual do you know what the mechanisms is for these features?

Is it a property in the automatic enrollment (DEP) profile? Wondering if we already support this...

@noahtalerman I am 99% sure this is a key/val in the enrollment profile. I will try to find example. Jamf implements this as an option in the PreStage Enrollment settings for ADE.

nonpunctual commented 5 months ago

@noahtalerman this is from the Apple Platform Deployment Guide which is usually very up-to-date.

https://support.apple.com/guide/deployment/filevault-payload-settings-dep32bf53500/web

In this case, the doc reflects what appears to be conflicting info, but, the important key/val to note (I think) is

The references to user-enabled FV settings are legacy & maybe are still in the docs for macOS systems that aren't updated to Sonoma.

noahtalerman commented 4 months ago

@nonpunctual heads up, this air guitar story was prioritized during the last feature fest. It's on the design board.

So, I'm removing the feature fest label.

You will be notified when we land on with next steps for this story when the sprint concludes.

noahtalerman commented 4 months ago

Hey @nonpunctual, heads up, we didn't get to an air guitar session for this story during the design sprint. Bringing it back to feature fest.

noahtalerman commented 4 months ago

Noah: Is this just as easy as adding a key/value to DEP profile? If yes, we already support it. If not, let's work on this later.

noahtalerman commented 4 months ago

@pacamaster heads up, I updated the issue description to user story format and moved your original issue description here:

Problem

How might this have a positive effect on your organization?

Helps happy path being that base case when a new team is created. Currently, the default settings are disk encryption not being enforced.

What is the current situation? Why does the current situation hurt?

All endpoints should be encrypted by default within a managed environment. There isn't a reason to have Windows or Mac hosts that are in use, to not be encrypted (maybe some use cases for Linux, headless, instance, etc). There is no "All Teams" control for disk encryption, only have "no team" settings. When creating new Teams, disk encryption enforcement is not on.

What are you doing right now to work around this issue? What's non-ideal about it?

As a workaround, Admins should be made aware of this case or might need to note when a new team is being created. When transferring hosts to a new team, might lose disk encryption.

Potential solutions

Have defualt state be encryption enforced across Fleet when making a new team
Include "All Teams" in Control panel for encryption
Have a modal or warning when moving hosts from an encrypted enforced team to an unenforced team.
Modal/prompt when creating a new team and havingMDM enabled, that new teams do not have disk encryption enabled

noahtalerman commented 3 months ago

Hey @pacamaster and @nonpunctual, heads up, we didn't get to this air guitar in the last design sprint. Bringing it back to feature fest.

noahtalerman commented 3 months ago

Brock and Grant: Separate issue: turn on disk encryption by default if I'm using MDM features.

noahtalerman commented 3 months ago

@nonpunctual can you please file a separate issue for this: turn on disk encryption by default if I'm using MDM features.

Noah and Brock: For the turning on FileVault during DEP, there's likely a separate key/value pair (not the FileVault profile)

noahtalerman commented 3 months ago

Hey @nonpunctual and @pacamaster, heads up, we discussed this issue during feature fest.

We decided not to draft this in the current design sprint (4.49).

Removing it from the feature fest board.

nonpunctual commented 3 months ago

@noahtalerman @marko-lisica I am a little confused by your request. There are 2 issues I guess:

1) We need to warn people that encryption isn't on by default when a new Team is created

OR

2) We need to enable FV by default everywhere.

If we did 2) there would be no need for 1) so that's where my confusion lies.

The title of this issue is: "Enforce FileVault during new Mac out-of-the-box setup"

Maybe it should just be changed to "Enforce FileVault by default" & then we can make sub-tasks for what that comprises: UI, Teams, Enrollment, profiles, etc. or it should be an epic.

I suppose that makes it seem like more work, but, I think this is an important enough feature that we want to get it right &, again, we are trying to follow 's lead on this. Because they now allow an admin full control over enabling FV without user interaction we no longer will need a UI warning in the product about that (see screen shot in comment above.)

Please let me know if you need me to do any investigation or if there is anything I can do to help. For now, I kind of want to keep this as a single issue that could become parent of others but will submit additional requests as you see fit. Thanks.

@pacamaster @alexmitchelliii

noahtalerman commented 2 months ago

@nonpunctual we've been discussing several problems in this issue (see comments above).

Which problem is the customer(s) trying to solve?

When you get the chance, can you please update the user story in the issue description to cover that problem?

That way, we can dig into solutions when this gets pulled into a design sprint.

nonpunctual commented 2 months ago

Hi @noahtalerman I am not sure that I can make it any clearer than what I wrote above.

We need to warn people that encryption isn't on by default when a new Team is created, or
We need to enable FV by default everywhere.

The problem the customer is trying to solve is that new Teams do not include encryption ON by default. If you've enabled MDM, it seems like encryption should be on when you make a new Team.

Customers that have the expectation that it is on (which is reasonable) need a warning that it's not.

You seem to want a separate issue. If so, that's ok but that seems like splitting this work when what I think customers will want & what we want in the product is to default towards enabling encryption on all platforms in all cases.

noahtalerman commented 2 months ago

The problem the customer is trying to solve is that new Teams do not include encryption ON by default.

Thanks @nonpunctual! I updated the user story to reflect this. Please feel free to bring it through feature fest if you think we should consider prioritizing it.

Customers that have the expectation that it is on (which is reasonable) need a warning that it's not.

Maybe the quickest win we can do it add a small note to the disk encryption docs to describe the current behavior (off by default)

spokanemac commented 1 month ago

@noahtalerman Not enforcing FileVault at device enrollment and setup is painful, as we need to ask users to do an antiquated dance to log out before we can enable and escrow the FV key. From the dogfooding perspective, I receive a Vanta alert every time a Fleetie sets up a new device or enrolls a new VM, which has me playing whack-a-mole to have them do the FileVault logout dance. Apple added support for this in Sonoma (macOS 14).

From Apple's deployment guide:

Turn on in Setup Assistant

Requires that FileVault be turned on in Setup Assistant. If set, all keys except show recovery key are ignored.

noahtalerman commented 1 month ago

Got it @spokanemac! Thanks for describing the pain in detail.

We'll weight this at the next feature fest on 2024-06-20.

noahtalerman commented 3 weeks ago

Hey @pintomi1989 I pulled the ~feature fest off because this story is in the current design sprint :) You can tell if it has :product

Please check before adding requests to feature fest. Thanks!

nonpunctual commented 2 weeks ago

@noahtalerman This is 1 of the problems resolving this issue would fix. The other (also related) is unclear communication to end users about how this is supposed to work.