Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiEndpoint Administration Guide

    Disk Encryption

    Disk Encryption

    Use the Profiles > Disk Encryption page to configure disk encryption policies to enforce disk encryption on Windows 7 or later (using BitLocker, TPM required) and macOS (using FileVault) endpoints to ensure consistent security configurations and compliance with regulatory requirements. You can also configure disk decryption policies to allow users to decrypt an encrypted disk.

    To configure a disk encryption policy to enforce disk encryption on specific Collector groups:

    1. In the Profiles > Disk Encryption page, click the Add button at the top left corner.

    2. Specify a name for the policy.

    3. Enable the policy if you want to enforce the policy immediately after creation. You can also choose to enable it later.

    4. Select the OS and configure the relevant options:

      Windows

      macOS
      1. Under Action, select Encrypt all disks or Encrypt only used disk.
      2. Under Method, select an encryption method for Windows 10 or later.
      1. Under Action, select Encrypt.
      2. Under Method, select the number of allowed user logins with an unencrypted disk. For example, if 3 is selected, the user will not be able to log in on the third attempt without confirming the disk encryption.
      3. Upload the FileVaultMaster certificate.

    5. Click Save.

      The policy appears in the disk encryption policies table.

    6. Enable or disable the policy by toggling the button in the State column.

    7. Add or remove Collector groups for the policy in the Collector Group column.

    8. (macOS) To verify the disk encryption status, run sudo fdesetup status on the endpoint. You can run the command multiple times to see the progress. When the encryption is complete, the status will show that FileVault is on. Encryption speed depends on HD size and Mac model.

    To configure a disk decryption policy to allow users of specific Collector groups to decrypt an encrypted disk:

    1. In the Profiles > Disk Encryption page, click the Add button at the top left corner.

    2. Specify a name for the policy.

    3. Enable the policy if you want to enforce the policy immediately after creation. You can also choose to enable it later.

    4. Select the OS and select Decrypt under Action.

    5. Click Save.

      The policy appears in the disk encryption policies table.

    6. Enable or disable the policy by toggling the button in the State column.

    7. Add or remove Collector groups for the policy in the Collector Group column.

      (macOS) Users from those Collector groups can then manually disable FileVault (user credentials required) from Setting > FileVault > Disable FileVault. If the Collector is not assigned to the decrypt policy, the disk will be automatically encrypted again even after the user manually disables FileVault.

    8. (macOS) To verify the disk decryption status, run sudo fdesetup status on the endpoint. You can run the command multiple times to see the progress. When the decryption is complete, the status will show that FileVault is off. Decryption speed depends on HD size and Mac model.

    Previous
    Next

    Disk Encryption

    Disk Encryption

    Use the Profiles > Disk Encryption page to configure disk encryption policies to enforce disk encryption on Windows 7 or later (using BitLocker, TPM required) and macOS (using FileVault) endpoints to ensure consistent security configurations and compliance with regulatory requirements. You can also configure disk decryption policies to allow users to decrypt an encrypted disk.

    To configure a disk encryption policy to enforce disk encryption on specific Collector groups:

    1. In the Profiles > Disk Encryption page, click the Add button at the top left corner.

    2. Specify a name for the policy.

    3. Enable the policy if you want to enforce the policy immediately after creation. You can also choose to enable it later.

    4. Select the OS and configure the relevant options:

      Windows

      macOS
      1. Under Action, select Encrypt all disks or Encrypt only used disk.
      2. Under Method, select an encryption method for Windows 10 or later.
      1. Under Action, select Encrypt.
      2. Under Method, select the number of allowed user logins with an unencrypted disk. For example, if 3 is selected, the user will not be able to log in on the third attempt without confirming the disk encryption.
      3. Upload the FileVaultMaster certificate.

    5. Click Save.

      The policy appears in the disk encryption policies table.

    6. Enable or disable the policy by toggling the button in the State column.

    7. Add or remove Collector groups for the policy in the Collector Group column.

    8. (macOS) To verify the disk encryption status, run sudo fdesetup status on the endpoint. You can run the command multiple times to see the progress. When the encryption is complete, the status will show that FileVault is on. Encryption speed depends on HD size and Mac model.

    To configure a disk decryption policy to allow users of specific Collector groups to decrypt an encrypted disk:

    1. In the Profiles > Disk Encryption page, click the Add button at the top left corner.

    2. Specify a name for the policy.

    3. Enable the policy if you want to enforce the policy immediately after creation. You can also choose to enable it later.

    4. Select the OS and select Decrypt under Action.

    5. Click Save.

      The policy appears in the disk encryption policies table.

    6. Enable or disable the policy by toggling the button in the State column.

    7. Add or remove Collector groups for the policy in the Collector Group column.

      (macOS) Users from those Collector groups can then manually disable FileVault (user credentials required) from Setting > FileVault > Disable FileVault. If the Collector is not assigned to the decrypt policy, the disk will be automatically encrypted again even after the user manually disables FileVault.

    8. (macOS) To verify the disk decryption status, run sudo fdesetup status on the endpoint. You can run the command multiple times to see the progress. When the decryption is complete, the status will show that FileVault is off. Decryption speed depends on HD size and Mac model.

    Previous
    Next