Overview
The Apple External APFS Drive Encryption Policy lets you automatically encrypt external APFS drives on managed macOS devices.
Policy name: Apple External APFS Drive Encryption Policy
What it does: Enforces encryption for external APFS volumes connected to managed Macs
Minimum OS version: macOS 12.0 or later
Supported platform: macOS
Ownership types:
Company-owned devices
BYOD (personally owned) devices
Use this policy when you want to ensure that data stored on external drives (for example, USB-C SSDs, external hard drives, and other removable APFS volumes) is protected if the drive is lost or stolen.
Note: This policy applies only to external drives formatted as APFS. Other file systems (e.g., ExFAT, HFS+) are not affected.
How it works (conceptual)
When this policy is enabled on a compatible, managed Mac:
The device looks for external drives formatted as APFS.
If an APFS external drive is detected and is not already encrypted, the system:
Encrypts the drive using a device‑specific encryption password that is defined and managed by MDM.
The encryption password is securely transmitted to your management backend (e.g., ST‑API) so that admins can retrieve it if the user needs to unlock the drive in the future.
Admins can notify the device owner when the encryption key is needed (for example, via an email action from the device detail view in your admin console).
Once an external APFS drive has been encrypted, there is no automated way to revert it to an unencrypted state through this policy; the drive would need to be erased and reformatted manually to remove encryption.
This approach ensures:
External storage stays protected even if physically removed from the Mac.
IT retains access to the encryption password for recovery and support.
End users can unlock their drives when needed, without IT having to share long-term secrets upfront.
Policy Fields
1. Enable External APFS Drive Encryption
Field name (internal):
enableExternalEncryptionDisplay name (UI): Enable External APFS Drive Encryption
Type: Boolean (true / false)
Default value:
"false"(disabled)Minimum OS version: macOS 12.0+
Description:
If set to true, the policy enables encryption of external APFS drives connected to the device. If set to false, the policy does not manage or enforce encryption on external APFS drives.
Behavior when true
When Enable External APFS Drive Encryption is set to true:
The device will:
Detect attached external APFS volumes.
Automatically encrypt any newly detected, unencrypted external APFS drives using a device‑specific password.
Encryption keys are:
Generated and/or assigned by the MDM system.
Sent securely to your backend service (for example, via Kafka to ST‑API) at regular intervals or events.
Admin workflow (typical):
Admin can open Device Details → Security → External APFS drives encryption key.
From there, the admin can:
View that an external drive encryption key exists for the device.
Use an email action (for example, “Send to device owner”) to securely share the password with the user when they need to unlock the drive.
User workflow (typical):
The device user connects an external APFS drive.
The drive becomes encrypted automatically (if not already encrypted).
If the user later connects this drive to the same or another Mac and is prompted for a password:
The admin can retrieve the encryption key via the admin console and send it to the user.
The user enters the password to unlock the drive.
Behavior when false (default)
When Enable External APFS Drive Encryption is false:
The policy does not enforce any change on external APFS drives.
External drives will:
Continue to behave according to user actions and other system or app configurations.
Not be auto‑encrypted by this policy.
No new external APFS encryption keys are generated or reported as part of this policy.
Requirements & Compatibility
Operating system:
macOS 12.0 or later
Platform:
macOS only
Drive type:
External drives (USB, Thunderbolt, etc.)
APFS file system only (non‑APFS volumes are not affected)
Ownership models:
Company‑owned devices
BYOD devices (if enrolled and managed by MDM)
Notes and Limitations
APFS only:
This policy affects only external drives formatted as APFS. This policy will not encrypt drives using ExFAT, HFS+, NTFS, or other file systems.No “unencrypt” option via policy:
Once an external APFS drive is encrypted under this policy, there is no supported way in the policy to decrypt it back to plain APFS.To remove encryption, the drive would typically need to be erased and reformatted manually (which destroys existing data).
User communication recommended:
Because this policy can cause previously unencrypted drives to become encrypted:Inform users before enabling it, especially in mixed personal/work environments.
Provide clear instructions on how users can request or receive the encryption password when they need it.
Key management:
The policy assumes that your MDM and backend (e.g., ST‑API) securely handle and store encryption keys.
Admins should have defined processes for:
Who can access keys
When and how keys are shared with end users
How to audit access to drive encryption keys
Example Use Cases
Strict security for external storage
Your organization disallows unencrypted external drives for any corporate data. You enable this policy across all company‑owned Macs so any APFS external storage is encrypted automatically.BYOD with sensitive workloads
Consultants or contractors use their own Macs, but work on sensitive customer data. You enable this policy for BYOD devices so that any APFS external drives they use for work data are encrypted and recoverable if needed.