IT and safety groups have approached this drawback from a number of angles up to now. On a per-computer foundation, a brand new key will be generated by disabling and re-enabling FileVault, however this leaves the pc in an unencrypted state briefly and requires a number of steps. The built-in
fdesetup command line software may also be used to generate a brand new key, however not all customers are snug coming into Terminal instructions. Plus, neither of those concepts scale to satisfy the wants of a fleet of Macs tons of or 1000’s robust.
One other method has been to make use of a software able to displaying an onscreen textual content enter discipline to the person as a way to show a password immediate, after which go the offered password as enter to the
fdesetup software for producing a brand new key. Nonetheless, this requires IT and safety groups to speak upfront of the remediation marketing campaign to affected customers, as a way to give them the context they want to answer the extra password immediate. Much more regarding, this password immediate method has a detrimental impact on safety tradition as a result of it contributes to “consent fatigue.” Customers will likely be extra prone to approve different forms of password immediate, which can inadvertently prime them to be focused by malware or ransomware.
The perfect answer can be one which will be automated throughout your complete fleet whereas not requiring any extra person interplay.