IT and safety groups have approached this downside from a number of angles up to now. On a per-computer foundation, a brand new key might be generated by disabling and re-enabling FileVault, however this leaves the pc in an unencrypted state briefly and requires a number of steps. The built-in fdesetup command line device can be used to generate a brand new key, however not all customers are snug coming into Terminal instructions. Plus, neither of those concepts scale to fulfill the wants of a fleet of Macs lots of or hundreds robust.
One other strategy has been to make use of a device able to displaying an onscreen textual content enter discipline to the consumer so as to show a password immediate, after which move the offered password as enter to the fdesetup device for producing a brand new key. Nonetheless, this requires IT and safety groups to speak prematurely of the remediation marketing campaign to affected customers, so as to give them the context they want to answer the extra password immediate. Much more regarding, this password immediate strategy has a detrimental impact on safety tradition as a result of it contributes to “consent fatigue.” Customers shall be extra prone to approve different varieties of password immediate, which can inadvertently prime them to be focused by malware or ransomware.
The best resolution could be one which might be automated throughout your whole fleet whereas not requiring any extra consumer interplay.
