Administrator Guide
NOTE:
If you allow this dialog to time out, you must reboot or log in for the password dialog to display again.
4. Click OK.
5. Be sure that each user has a secure token. See https://www.dell.com/support/article/us/en/19/sln309192/mobile-users-
unable-to-activate-dell-encryption-enterprise-for-mac-on-macos-high-sierra?lang=en.
If the account the user was logged into is a non-mobile network account, a dialog displays. After the boot drive is encrypted,
the drive can be booted only by the user who was logged in during FileVault initialization.
This account must be a local or network mobile account. To change non-mobile network accounts to mobile accounts, go to
System Preferences > Users and Groups. Do one of the following:
● Make the account a mobile account.
OR
● Log into a local account and initialize FileVault from that location.
6. Click OK.
7. After encryption preparation is complete, restart the computer.
NOTE:
Depending on the User Experience policies set in the Management Console, the client software may prompt the user to
restart the computer.
8. After the computer restarts, it must be connected to the network for the client software to escrow recovery information to
the Dell Server.
The client software can begin and complete the encryption process, as well as report encryption status to the Management
Console, all before user login. This allows you to enforce compliance across all Mac computers without requiring user
interaction.
Modify Policy to Add FileVault Users
FileVault secures the data on a disk by automatically encrypting it. In a managed FileVault boot volume, to allow multiple users to
unlock the disk, you can modify a policy in the Management Console and use your dictionary of OpenDirectory record names and
values to then allow users to add themselves to the FileVault disk.
1. In the Management Console's advanced Mac Global Settings policies, scroll to the FileVault 2 PBA User List policy.
2. In the FileVault 2 PBA User List policy field, enter a rule that matches the users you plan to specify. For example, matching
<string>*</string> for any key should match all users that the bound OpenDirectory server has.
Tags are case sensitive, and the entire value must be properly formed as dictionary and array elements in a property list.
Dictionary keys are AND'd together. Array values are or'd together so matching any element in an array matches for the
entire array.
NOTE:
If a rule is improperly formed, an error displays in the Dell Encryption Enterprise > Preferences tab.
The following <dict> lists examples for two keys:
<dict>
<key>dsAttrTypeStandard:AuthenticationAuthority</key>
<array>
<string>;Kerberosv5;;user1@LKDC:*</string>
<string>;Kerberosv5;;user2@LKDC:*</string>
<string>;Kerberosv5;;user3@LKDC:*</string>
<string>;Kerberosv5;;z*@LKDC:*</string>
</array>
<key>dsAttrTypeStandard:NFSHomeDirectory</key>
<string>/Users/*</string>
</dict>
● The sample AuthenticationAuthority key entries specify a pattern of user1, user2, and user3 or any user id that begins
with z. To view the dialog that provides the correct syntax for each user, press the Control-Option-Command keys on
the client. Copy the syntax for the user, and paste it to the Management Console.
Tasks for the Encryption Client
19