By Zach DeMeyer Posted January 20, 2020
By implementing Policies, JumpCloud® admins automate much of their system security management across their Windows®, Mac®, and Linux® fleets. Two specific Policies, BitLocker and FileVault 2, are key for enforcing full disk encryption (FDE) at scale across an organization’s Windows and Mac systems.
What are the BitLocker and FileVault 2 Policies?
The BitLocker (Windows) and FileVault 2 (Mac) Policies enable full disk encryption for their respective operating systems. More on full disk encryption in just a bit.
Both policies leverage native settings accessed via the JumpCloud system agent to enable FDE on a system. Once enabled, the BitLocker and FileVault 2 Policies also collect the associated recovery key (a necessary backup for FDE) and store it in escrow for safe keeping.
Why Use These Policies?
FDE is a practice that encrypts a system’s hard drive while at rest. That way, in the unfortunate event that a system is stolen or otherwise physically compromised, the data stored on its hard drive is rendered inaccessible to anyone who doesn’t have the unique recovery key or the user’s password. In this manner, FDE is one of the most powerful ways to defend a system’s data if the hard drive is compromised.
Unfortunately, there are many examples of physical theft of a laptop or other workstation that have led to a data breach, especially among healthcare organizations. As such, many compliance regulations require some sort of disk encryption for certification.
Many IT organizations, however, have found it difficult to enforce FDE across both Windows and Mac system fleets automatically at scale without leveraging several solutions to do so. Beyond that, very few FDE solutions on the market feature recovery key escrow, which is crucial to retrieving data on an encrypted drive should the end user forget their password or get locked out.
By leveraging the BitLocker and FileVault 2 Policies from JumpCloud, organizations can apply FDE en masse with just a couple clicks. JumpCloud also stores individual recovery keys so IT organizations can still unlock encrypted drives if a hard (Read more…)