Full-disk encryption is enforced on all endpoints and portable storage
Laptops and portable drives are lost and stolen constantly. Without disk encryption, anyone who obtains a device has immediate access to all files, credentials cached in browsers, email archives, and any sensitive documents stored locally. Full-disk encryption makes a stolen device essentially worthless to an attacker without the decryption key. This is one of the cheapest controls available relative to its impact: modern operating systems include encryption natively and it can be enforced and verified centrally through an MDM.
Implementation steps
- 1
Enable and enforce FileVault on macOS devices via MDM
Configure your MDM to require FileVault on all macOS endpoints. Escrow recovery keys to the MDM so that IT can recover access if a user forgets their password. Verify that FileVault is enabled and the key is escrowed before marking a device compliant. New devices should not pass compliance checks until encryption is active.
jamf kandji microsoft-intune - 2
Enable and enforce BitLocker on Windows devices via MDM
Configure your MDM or Group Policy to enforce BitLocker on all Windows endpoints. Store recovery keys in Azure AD or your MDM. Require TPM-based encryption so that keys are bound to the hardware. Run regular compliance reports to identify devices where BitLocker is disabled or not reporting.
microsoft-intune azure-ad group-policy microsoft-endpoint-manager - 3
Address portable storage and external media
Use Group Policy or MDM to require that USB drives connected to company devices are encrypted before data can be written to them. For macOS, Jamf can enforce similar restrictions. Consider blocking unapproved USB storage devices entirely if the operational need is low. Provide employees with company-approved encrypted USB drives for legitimate use cases.
microsoft-intune jamf symantec-endpoint sophos
Evidence required
MDM encryption compliance report
Evidence that disk encryption is enforced and actively monitored across all endpoints.
- - Intune device compliance report showing BitLocker status across all Windows devices
- - Jamf Pro report showing FileVault status and key escrow for macOS devices
- - MDM compliance policy configuration requiring encryption as a condition
Related controls
Critical and high CVEs are patched within 14 days; all others within 30 days
Device Security
An inventory of authorized hardware and software assets is maintained
Device Security
Devices are configured securely with hardened baselines
Device Security
Network segmentation isolates critical systems
Device Security