Device Encryption step by step (Mac)

Follow these steps to encrypt Macs.

Before users can start:

  • You must install the Sophos Central agent software on the endpoints.
  • You must configure and turn on a Device Encryption policy in .
  • Users must log on to their endpoints. They must be connected to and synchronized with . Note that remote logon is not supported.

These instructions tell you what the users see and what they need to do.

  1. Enter their login password after starting their Mac.

    This turns on Sophos Device Encryption.

  2. Click either Encrypt to start the encryption of their system disk or Postpone to start the process later.

    When users enter their login password and click Encrypt, the recovery key is stored locally in the keychain and .

    All existing users of an endpoint are added to FileVault automatically.

    On endpoints running macOS 10.12 or earlier, each user needs to log in separately to be added to FileVault.

When the system disk is encrypted, the internal data volumes are automatically encrypted. Encrypted disks are automatically unlocked when the computer starts.

Notifications tell users about the encryption status of the individual disks.