Technical Interpretation of Encryption Requirement
- Penn-owned systems running macOS 10.9+ (including macOS Sierra or later) must be encrypted (e.g. using FileVault2), with key escrow managed by a Centralized Endpoint Management system (e.g. BigFix, Casper) or enterprise password vault.
- If the system needs to run Windows as well, the Windows partition must be encrypted:
- if Boot Camp: with (1) Symantec Whole Disk Encryption; or (2) BitLocker with a thumb drive to store the key (see How to Use BitLocker on Drives without TPM in References, below); or
- if using Parallels or VMWare Fusion, the separate encryption is not needed.
- Penn-owned systems running Windows 7 Enterprise or Ultimate and newer must be encrypted (e.g. using BitLocker), with key escrow managed by a Centralized Endpoint Management system (e.g. BigFix, BitLocker Administration and Monitoring (MBAM) or Windows AD with Group Policy - see Backing Up BitLocker and TPM Recovery Information to AD DS in References, below) or enterprise password vault.
- Regardless of the method chosen, there must be a way, in the event of loss or theft of the device, to verify that the system was encrypted. Some examples include:
- a logon script to check the BitLocker status and log the results to a file server or the Security Logging Service (see Security Logging Service in References, below);
- Microsoft BitLocker Administration and Monitoring (MBAM) report (see References, below);
- McAfee ePolicy Orchestrator (ePO);
- using an endpoint management system to do periodic polling and logging of endpoint encryption status; or
- periodically executing commands remotely via SSH to report encryption status of macOS endpoints (see How to Determine if a Mac Is Using FileVault from the Command Line in Resources, below).