FileVault: Manage disk encryption

[noahtalerman]

User story

As an IT admin, I want to turn on FileVault (Disk encryption) on my macOS hosts so that I know the disk is encrypted and secure.

Requirements

• Premium feature only
• In UI and CLI, IT admin can enforce disk encryption for macOS hosts.
• Only global admins, global maintainers, team admins, and team maintainers can enforce disk encryption.
• In Fleet Desktop UI, end user is walked through required actions: Log out if end user had disk encryption turned on for the first time. Reset key if end user already had disk encryption turned on
• In UI, IT admin can see disk encryption status on the Host details page. For failed status, IT admin can see the error.

Design

UI

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=11728%3A323053&t=tDSDpng9HNhTcAjy-1

[noahtalerman]

From product design review on 2022-12-20

QA: Try to break it. Turn it off, turn it on, turn it off, turn it on. Is it on?

[mike-j-thomas]

@noahtalerman, ready for you to look at https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=11687%3A321888

[noahtalerman]

@mike-j-thomas, thanks! The changes look great. I will bring them to today's design review (morning EST).

[michalnicp]

In the figma diagrams, in the "Reset Key" modal, it looks like we are saying refetch will immediately fetch the new recovery key. However, as per https://github.com/fleetdm/fleet/issues/8708, we are no longer using osquery to get the recovery key.

Does this need to be changed to issue an MDM command to get the recovery key? Alternatively, we could just wait for it to be retrieved eventually.

@noahtalerman

[noahtalerman]

Does this need to be changed to issue an MDM command to get the recovery key?

@michalnicp good point. I don't think so. I think waiting for the key to be retrieved eventually is ok. That is, if Fleet gets the key within a reasonable amount of time after the key is reset (1-2 days). Is this the case?

The "Reset key" modal solves the following problem: I want Fleet to retrieve all keys. Sometimes, for various reasons, Fleet can't retrieve the key. For Fleet to retrieve the key, the key needs to be reset.

I think this is a separate problem: After I know the end user reset the key, I want to see the recovery key.

it looks like we are saying refetch will immediately fetch the new recovery key

In the modal we communicate to end user "Close this window and select Refetch on your My device page. This tells your organization that you reset your key.

How do you think we should update this^ sentence to clearly communicate that refetch doesn't fetch the new key?

[michalnicp]

Does this need to be changed to issue an MDM command to get the recovery key?

@michalnicp good point. I don't think so. I think waiting for the key to be retrieved eventually is ok. That is, if Fleet gets the key within a reasonable amount of time after the key is reset (1-2 days). Is this the case?

The "Reset key" modal solves the following problem: I want Fleet to retrieve all keys. Sometimes, for various reasons, Fleet can't retrieve the key. For Fleet to retrieve the key, the key needs to be reset.

I think this is a separate problem: After I know the end user reset the key, I want to see the recovery key.

it looks like we are saying refetch will immediately fetch the new recovery key

In the modal we communicate to end user "Close this window and select Refetch on your My device page. This tells your organization that you reset your key.

How do you think we should update this^ sentence to clearly communicate that refetch doesn't fetch the new key?

I see two potential options:

1. Add a separate button on the My Device page that retrieves the recovery key for that specific host using an MDM command. The modal would say something like "Close this window and select Retrieve Recovery Key on your My Device page to update the recovery key ..."
2. Remove the sentence "Close this window and select Refetch on your My device page ..." entirely. We would eventually retrieve the new recovery key anyways.

if Fleet gets the key within a reasonable amount of time after the key is reset (1-2 days). Is this the case?

This will be done as part of https://github.com/fleetdm/fleet/issues/8708. It is not specified in the issue yet, but I think 1 - 2 hours is a reasonable expectation.

[noahtalerman]

From FileVault UX call on 2022-12-23

• After end users successfully enters user name and password (sends command) hide the banner
• After end users successfully enters user name and password (sends command) IT admin see disk encryption key in pending state
• Think about end user dialog. Why do we tell them to refetch instead of just showing them a button to refetch?

[roperzh]

From the team meeting on Jan 5, 2023: we decided to use osquery to encrypted key that's generated when the FDERecoveryKeyEscrow payload is installed.

This key is stored at /var/db/FileVaultPRK.dat and officially supported by Apple, from the docs:

If FileVault is enabled after this payload is installed on the system, the FileVault PRK is encrypted with the specified certificate, wrapped with a CMS envelope and stored at /var/db/FileVaultPRK.dat. The encrypted data is made available to the MDM server as part of the SecurityInfo command.

Alternatively, if a site uses its own administration software, it can extract the PRK from the foregoing location at any time. Because the PRK is encrypted using the certificate provided in the profile, only the author of the profile can extract the data.

[noahtalerman]

Hey @mike-j-thomas can you please help me with the UI for disk encryption status? I assigned you this issue and added it to the marketing board.

Here's a link to the Figma page (screenshot below): https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=11687%3A321888

Here's a Loom video of me walking through the UI problem and explaining what I could use your help on: https://www.loom.com/share/5fff6fe611ed486280612c19b884b086

[noahtalerman]

@mike-j-thomas I unassigned you and removed the issue from the marketing board.

Context is here in Slack (internal): https://fleetdm.slack.com/archives/C01ALP02RB5/p1673404102816089

[lukeheath]

Backend + Agent: ~13 points Frontend: ~8 points

Total: 21 points

[noahtalerman]

@zhumo @roperzh @chris-mcgillicuddy after your feedback during today's product design review, I made these UI changes (screenshots below). I let Luke know that this issue is ready for engineering specs + estimation. That said, please let me know if you have any thoughts concerns.

---

1. Rename statuses:
   • "Pending (add)" status to "Enforcing setting". What was called "Pending (key)" and "Pending (add)" are both included in this status. Why? We want to tell the IT admin that Fleet is doing something. No action is required.
   • Rename and combine "Pending (reset key)" and "Pending (log out)" status to "Action required". Why? We just want to tell the IT admin that action is required. It's up to the My device page to tell the end user what to do.
2. Consolidate messages for the IT admin (Host details page) action is required from the end user. We just want to tell the IT admin that action is required. It's up to the My device page to tell the end user what to do.
3. Specify that, in the native macOS prompt we show for resetting the key, show this error message if the end user didn’t successfully reset the key: “Couldn’t reset key. Please try again. If this keeps happening, please contact your IT admin.” Why? It's better UX to show the error in the place the user is trying to enter their username and password. @roperzh please let me know if this isn't possible or will take a large amount of time.

---

1. 
2. 
3. 

Here's a link to the Figma page: https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=11724%3A323171&t=jcN8RrQg2gWonjEh-1

[zhumo]

Thanks Noah, LGTM

[lukeheath]

@roperzh @ghernandez345 Assigning this to the two of you to create the child issues.

[noahtalerman]

Hey @roperzh @ghernandez345 updates to this issue following today's design review (2022-01-13)

• Added requirement: Enforcing disk encryption is tracked in the activity feed. Why? Continue to bake improvements into the audit log for new MDM features. Figma is updated here: https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=12227%3A330347&t=xzitCrGJDxvISNJP-1
• Rename statuses: "Enforcing setting" to "Enforcing (pending)" and "Removing setting" to "Removing enforcement (pending)". Why? The "pending" language makes it clearer.

cc @zhumo

[lukeheath]

@ghernandez345 @roperzh Heads up, we're going to defer this epic to the sprint after next, so we have some time to spec put a detailed estimate on this one.

[noahtalerman]

@zhumo the Whiteboard for Pricing CX Review indicates that we'd like "Disk encryption key escrow" to be a Fleet Premium feature. To handle this in the planned UX, I propose that "turn on disk encryption" AND "key escrow" are both paid features. This is because the planned UX bundles turn on and key escrow in one setting (see screenshots below).

This means that free users won't be able to use disk encryption key escrow OR turn on disk encryption at all because we plan to prevent users from adding a custom configuration profile to turn it on (exact error message below).

I think this is ok because we could allow free users to use a custom configuration profile in the future.

What do you think?

[zhumo]

@noahtalerman works for me.

[zhumo]

@noahtalerman Don't forget the other side. If you had premium and turned it on, but lapse, you should not be able to see the key.

[noahtalerman]

@lukeheath we'd like "Disk encryption" to be a paid feature. This means that only Fleet Premium users can turn on disk encryption and see the disk encryption key.

I updated the Figma for this issue and the "See disk encryption key for macOS hosts" issue (here) to indicate this. Screenshots are below.

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=12941%3A334791&t=75VasZJoqw3aRXjS-1:

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=10686%3A316128:

Luke, up to you if we update the requirements as part of these stories or break making them paid into a new story. Goal is to have disk encryption be paid by April launch.

Please let me know if I can be helpful with updating designs and specs.

[lukeheath]

@noahtalerman Thanks! We can roll that into the existing stories.

[lukeheath]

@roperzh I am assigning this story to you to manage and bring to QA.

[mna]

@noahtalerman just a heads-up, the Figma mentions alternate text for Fleet Free users for activities, but it's a Fleet Premium-only feature (e.g.: https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=12227%3A330387&t=mFjQZKzp1Txmk8vM-0 )

[noahtalerman]

This story was brought back to the drafting phase for priority drafting because Roberto surfaced a potential UX problem with the current solution.

This comment documents the options discussed and decision made during design review on 2022-03-14.

Context:

• We want to ship this story on Friday March 17
• To reset disk encryption key, we need user’s username and password
• We want to summon a native looking modal for the user to enter their username and password
• The current UI expects the My device page to tell fleetd to summon the modal

UX Problem:

• fleetd checks in every 30 seconds so the end user will have to wait 30 seconds after they click start

Options:

1. Present a “Reset key” button in Fleet Desktop dropdown

   • Pros:
   • End user doesn’t have to wait 30 seconds. End user has an easy time finding the button.
   • Low amount of engineering work
   • Cons:
   • Inconsistent UX for the end user. They go to Fleet Desktop dropdown to reset key. They go to My device page to turn on MDM
   • UI changes:
   • Remove “Reset key” modal
   • Update Fleet Desktop dropdown menu to show “Reset key” option. Clicking this opens the native looking modal
   • Update My device banner copy to point user to Fleet Desktop dropdown menu

2. My device page talks to fleetd directly

   • Pros:
   • End user doesn’t have to wait 30 seconds
   • Cons:
   • Large amount of engineering work

3. My device page talks to Fleet server. Update the UI to tell the user they’ll have to wait 30 seconds

   • Pros:
   • Low amount of engineering work
   • Cons:
   • End user waits 30 seconds

Decision: Go with option (3)

• Loom video that captures the user journey: https://www.loom.com/spaces/All-Fleet-67132/folders/historicalmisc-86bc8a2d884c4313ac3a4da785510ccd

Reasoning:

• We want to ship a working solution on Friday. This makes option (1) and (2) difficult
• We should wait to introduce new UX (Fleet Desktop menu) until we’ve had time to think through the user journey. This makes it difficult to option (1) difficult
• It's ok to ship this story w/o solving the wait 30 seconds problem. Also, shipping this way doesn't make it harder to solve this problem later

[noahtalerman]

cc @mikermcneil @zhumo @lukeheath @roperzh ^^

[fleet-release]

XSJvN5DGz1

Secure data in clouds,
As data transmission's key.
Fleet's encryption helps.

[lukeheath]

@noahtalerman Re-opening, moving to "Confirm and celebrate", and assigning to you.

[zhumo]

C&C: Need to document that the feature current has 30 min to get the key. Can be triggered with a fleetctl trigger command.

[fleet-release]

FileVault takes flight, Mac hosts find encryption, Secured disks alight.