Technical Interpretation of Encryption Requirement

  1. Penn-owned systems running macOS 10.9+ (including macOS Sierra or later) must be encrypted (e.g. using FileVault2), with key escrow managed by a Centralized Endpoint Management system (e.g. BigFix, Casper) or enterprise password vault.
    1. If the system needs to run Windows as well, the Windows partition must be encrypted:
      1. if Boot Camp: with (1) Symantec Whole Disk Encryption; or (2) BitLocker with a thumb drive to store the key (see How to Use BitLocker on Drives without TPM in References, below); or
      2. if using Parallels or VMWare Fusion, the separate encryption is not needed.
  2. Penn-owned systems running Windows 7 Enterprise or Ultimate and newer must be encrypted (e.g. using BitLocker), with key escrow managed by a Centralized Endpoint Management system (e.g. BigFix, BitLocker Administration and Monitoring (MBAM) or Windows AD with Group Policy - see Backing Up BitLocker and TPM Recovery Information to AD DS in References, below) or enterprise password vault.
  3. Regardless of the method chosen, there must be a way, in the event of loss or theft of the device, to verify that the system was encrypted. Some examples include:
    1. a logon script to check the BitLocker status and log the results to a file server or the Security Logging Service (see Security Logging Service in References, below);
    2. Microsoft BitLocker Administration and Monitoring (MBAM) report (see References, below);
    3. McAfee ePolicy Orchestrator (ePO);
    4. using an endpoint management system to do periodic polling and logging of endpoint encryption status; or
    5. periodically executing commands remotely via SSH to report encryption status of macOS endpoints (see How to Determine if a Mac Is Using FileVault from the Command Line in Resources, below).

References