Meta pixel
Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Endpoint operations Device management (MDM) Vulnerability management Integrations
Docs REST API Built-in queries Data tables SUPPORT Chat Hosting Release notes Get your license Contribute
Community
Chat News Podcasts Articles COMPANY Handbook Logos/artwork Why open source?
Pricing Start now

Fleet documentation

Welcome to the documentation for Fleet, the lightweight management platform for laptops and servers.

search

Can't find what you're looking for? Support

{{page.title}}

{{breadcrumbs[0] === 'docs' ? 'Documentation' : breadcrumbs[0]}}
right chevron {{getTitleFromUrl(breadcrumbs[1])}}
right chevron

{{thisPage.title}}

search

Disk encryption

Edit page
Data tables Built-in queries Releases Support
A very nice Fleet branded shirt

Request Fleet swag

It's free right arrow

On this page:

Disk encryption

Available in Fleet Premium

In Fleet, you can enforce disk encryption for your macOS and Windows hosts.

An icon indicating that this section has important information

Apple calls this FileVault and Microsoft calls this BitLocker.

When disk encryption is enforced, hosts’ disk encryption keys will be stored in Fleet.

For Windows hosts, disk encryption is enforced on the C: volume (default system/OS drive).

Enforce disk encryption

You can enforce disk encryption using the Fleet UI, Fleet API, or Fleet's GitOps workflow.

Fleet UI:

  1. In Fleet, head to the Controls > OS settings > Disk encryption page.

  2. Choose which team you want to enforce disk encryption on by selecting the desired team in the teams dropdown in the upper left corner.

  3. Check the box next to Turn on and select Save.

Fleet API: API documentation is here.

Disk encryption status

In the Fleet UI, head to the Controls > OS settings > Disk encryption tab. You will see a table that shows the status of disk encryption on your hosts.

  • Verified: the host turned disk encryption on and sent their key to Fleet. Fleet verified with osquery. See instructions for viewing the disk encryption key here.

  • Verifying: the host acknowledged the MDM command to install the disk encryption profile. Fleet is verifying with osquery and retrieving the disk encryption key.

An icon indicating that this section has important information

It may take up to one hour for Fleet to collect and store the disk encryption keys from all hosts.

  • Action required (pending): the end user must take action to turn disk encryption on or reset their disk encryption key.

  • Enforcing (pending): the host will receive the MDM command to install the configuration profile when the host comes online.

  • Removing enforcement (pending): the host will receive the MDM command to remove the disk encryption profile when the host comes online.

  • Failed: hosts that are failed to enforce disk encryption.

You can click each status to view the list of hosts for that status.

View disk encryption key

How to view the disk encryption key:

  1. Select a host on the Hosts page.

  2. On the Host details page, select Actions > Show disk encryption key.

Migrate macOS hosts

When migrating macOS hosts another MDM solution, in order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must take action.

If the host already had disk encryption turned on, the user will need to input their password.

If the host did not already have disk encryption turned on, the user will need to log out or restart their computer.

Share these guided instructions with your end users.

Need more help?

Slack logo Ask the community on Slack

Did we miss anything?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the Fleet repo.

An arrow pointing upBack to top