Next, enable the “Enable FileVault 2” group policy to encrypt the disk. When you enable this group policy, you select whether to use one institutional key for multiple Mac computers, or computer-specific (“personal”) keys.
To enable the Enable FileVault 2 group policy
- On a Windows computer, open the Group Policy Management Editor.
- Select a Group Policy Object that applies to the Mac computer you are planning to encrypt, then right-click and select Edit.
- Open Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, then double-click Enable FileVault 2.
- Click Enable.
- Specify whether to use one institutional key for multiple Mac computers, or computer-specific (“personal”) keys:
To use one institutional key for multiple Mac computers, select Use Institutional Recovery Key. Then click Select to select the FileVault keychain certificate that you created earlier as described in Create FileVault master keychain. If you select this option, the FileVaultMaster certificate is distributed to all of the Mac computers to which the group policy applies. Go to Enable the Enable FileVault 2 group policy and continue from there.
To use computer-specific (“personal”) keys, leave Use Institutional Recovery Key unchecked. In this situation, a personal recovery key is created for the Mac computer and stored in the computer object in Active Directory. The key is created and sent to the computer object in Active Directory after the “Managed By” user reboots the Mac computer (or restarts the agent), logs in, logs out, and provides the user password as described in Set up and verify FileVault 2 protection and Set up and verify FileVault 2 protection. The personal recovery key is used to enable FileVault2 protection on the Mac computer. Go to Step 8 and continue from there.
In the Explorer dialogue, navigate to the folder in which you uploaded the certificate.
Select the certificate and click Open.
Click OK to enable the group policy.
This group policy will automatically take effect at the next group policy update interval. To have it take effect immediately, run the following command in the Terminal application on the Mac computer:
If you selected Use Institutional Recovery Key in Step 5, the FileVaultMaster certificate name, a thumbnail, and the expiration date are displayed in the Group Policy.
Note: The expiration date is not important because OS X does no revocation checking on this certificate.
The selected certificate should have the following usages: “Digital Signature”, “Key Encipherment”, “Data Encipherment” and “Key Certificate Sign”. If the certificate does not have these usages, an error message will appear: