for Windows and macOS
BitLocker Drive Encryption for Windows
BitLocker is an encryption technology built into Windows operating systems. Kaspersky Endpoint Security allows you to control and manage Bitlocker using Kaspersky Next infrastructure. BitLocker encrypts logical volumes. BitLocker cannot be used for encryption of removable drives. For more details on BitLocker, refer to the Microsoft documentation.
When encrypting the disk, BitLocker puts the boot loader and other auxiliary files in the system partition. This partition is not encrypted. The operating system creates the system partition automatically during the installation of Windows. If the disk is fully partitioned before installing Windows, the operating system cannot create a system partition. In this case, when you start BitLocker disk encryption, the operating system prompts the user to repartition the disk and create a system partition. After creating a system partition, the operating system starts BitLocker encryption.
BitLocker provides secure storage of access keys using a trusted platform module. A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus. Using TPM is the safest way to store BitLocker access keys, since TPM provides pre-startup system integrity verification. You can still encrypt drives on a computer without a TPM. In this case, the access key will be encrypted with a password. BitLocker uses the following authentication methods:
After encrypting the system hard drive, the user needs to go through BitLocker authentication to boot the operating system. After the authentication procedure, BitLocker will allow for users to log in. BitLocker does not support single sign-on technology (SSO).
After encrypting a drive, BitLocker creates a master key. Kaspersky Endpoint Security sends the master key to Kaspersky Next infrastructure so that you can restore access to the disk, for example, if a user has forgotten the password.
If a user encrypts a disk using BitLocker, Kaspersky Endpoint Security will send information about disk encryption to Kaspersky Next console. However, Kaspersky Endpoint Security will not send the master key to Kaspersky Next infrastructure, so it will be impossible to restore access to the disk. For BitLocker to work correctly with Kaspersky Next infrastructure, decrypt the drive and re-encrypt the drive using a policy. You can decrypt a drive locally or using a policy.
If you are using Windows group policies, turn off BitLocker management in the policy settings. Windows policy settings may conflict with Kaspersky Endpoint Security policy settings. When encrypting a drive, errors may occur.
FileVault Disk Encryption for macOS
Kaspersky Endpoint Security allows FileVault encryption to be managed remotely. Encryption prevents unauthorized users from accessing sensitive data stored on the startup disk of the user's computer.
When an administrator starts FileVault encryption on a computer from Kaspersky Next console, Kaspersky Endpoint Security prompts a user of this computer to enter his or her credentials. Disk encryption starts only after the user provides the credentials, the computer is restarted, and 30 minutes have passed since the policy settings are received on the computer. The minimum interval between prompts for credentials is also 30 minutes.
To prevent the user from decrypting the startup disk of a computer when FileVault encryption is enabled, an administrator needs to use JAMF to deploy an MDM profile prohibiting disk decryption. To decrypt the startup disk of a computer with an MDM profile prohibiting disk decryption, the administrator first needs to remove the profile.
If FileVault encryption management isn't enabled in Kaspersky Next console, users with administrator rights can encrypt and decrypt the computer’s startup disks from System Settings. For more information on FileVault, refer to Apple documentation.
If the computer has multiple computer accounts, FileVault encryption makes the disk inaccessible to all users except for the user who entered his or her credentials.
Data encryption settings for Pro View
Parameter |
OS |
Description |
|---|---|---|
Action on devices |
|
Encrypt all hard drives. If this item is selected, the application encrypts all hard drives when the policy is applied. Decrypt all hard drives. If this item is selected, the application decrypts all previously encrypted hard drives when the policy is applied. |
Use hardware encryption |
|
If the check box is selected, the application applies hardware encryption. This lets you increase the speed of encryption and use less computer resources. |
Use of BitLocker authentication on Windows tablets |
|
Using authentication that requires data input in a preboot environment, even if the platform does not have the capability for preboot input (for example, with touchscreen keyboards on tablets). The touchscreen of tablet computers is not available in the preboot environment. To complete BitLocker authentication on tablet computers, the user must connect a USB keyboard, for example. If the check box is selected, use of authentication requiring preboot input is allowed. It is recommended to use this setting only for devices that have alternative data input tools in a preboot environment, such as a USB keyboard in addition to touchscreen keyboards. If the check box is cleared, BitLocker Drive Encryption is not possible on tablets. |
Authentication method |
|
Trusted Platform Module (TPM). If this option is selected, BitLocker uses a Trusted Platform Module (TPM). A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus. For computers running Windows 7 or Windows Server 2008 R2, only encryption using a TPM module is available. If a TPM module is not installed, BitLocker encryption is not possible. Use of a password on these computers is not supported. A device equipped with a Trusted Platform Module can create encryption keys that can be decrypted only with the device. A Trusted Platform Module encrypts encryption keys with its own root storage key. The root storage key is stored within the Trusted Platform Module. This provides an additional level of protection against attempts to hack encryption keys. This action is selected by default. Password. If this option is selected, Kaspersky Endpoint Security prompts the user for a password when the user attempts to access an encrypted drive. This option can be selected when a Trusted Platform Module (TPM) is not being used. Trusted Platform Module (TPM), or password if TPM is unavailable. If this option is selected, the user can use a password to obtain access to encryption keys when a Trusted Platform Module (TPM) is not available. If the check box is cleared and the TPM is not available, full disk encryption will not start. Use PIN for TPM. If this check box is selected, a user can use of a PIN code to obtain access to an encryption key that is stored in a Trusted Platform Module (TPM). If this check box is cleared, users are prohibited from using PIN codes. To access the encryption key, a user must enter the password. |