Check Core Storage Drives for Encryption

What the Mac encryption auditor does

This Automox Worklet™ audits mounted volumes on macOS endpoints to find drives that are not protected by FileVault, Core Storage, or APFS encryption. The Worklet walks every entry under /Volumes/, calls diskutil info on each mount, and inspects the output for a Core Storage Information block or an APFS Information section. Volumes that show neither block are flagged as unencrypted and the drive name is written to the Automox Activity Log.

The Worklet excludes mounts whose Protocol field reports Disk Image, so .dmg files mounted for installers or temporary use do not trigger false positives. The check focuses on physical disks, attached USB media, external Thunderbolt enclosures, and secondary internal partitions that hold persistent user data. Read-only optical media and empty mount points are skipped because diskutil reports no Protocol value for them.

Evaluation always exits non-compliant so the audit runs on every policy execution. The remediation script does the inspection and reporting; it never writes to the disk, never enables FileVault on its own, and never modifies a partition. Treat this Worklet as a fleet-wide read-only audit, then pair it with a follow-up policy that enables FileVault or moves the endpoint out of your compliant group.

Why audit Mac drive encryption at fleet scale

Unencrypted storage is one of the cheapest ways to lose regulated data. A misplaced laptop, an external drive left in a hotel room, or a backup disk pulled from a desk drawer becomes a breach the moment the attacker plugs it in. The CIS Benchmark for macOS (control 2.5.1 in current versions) mandates FileVault on the boot volume, but FileVault does not cover secondary partitions, attached USB drives, or external Thunderbolt enclosures. That gap is exactly what this audit surfaces, so encryption-at-rest evidence for your compliance program reflects every mounted volume rather than only the boot disk.

Unencrypted external drives on macOS show up in unexpected places: a designer's portable SSD, a finance workstation that picked up a thumb drive months ago, or a developer's external RAID. Schedule this read-only Worklet on the macOS compliance policy so per-volume diskutil info output streams into the Activity Log on every pass. The next encryption review starts from per-endpoint evidence instead of a one-time spreadsheet. The audit maps directly to NIST 800-53 SC-28 for protection of data at rest and supports PCI-DSS requirement 3.5 coverage on Mac endpoints.

How macOS encryption auditing works

1. Evaluation phase: The evaluation script exits 1 unconditionally so the remediation phase runs on every execution. This pattern is intentional for a read-only audit: the Worklet inspects live disk state on each run instead of trusting a cached result.

2. Remediation phase: The remediation script loops through /Volumes/* and runs diskutil info on each mount name. It captures the Protocol field with grep -m 1 "Protocol:" and skips any volume whose protocol is empty or Disk Image. For each surviving volume, it checks the diskutil output for the literal strings Core Storage Information and APFS Information:. When both are absent, the script increments a counter and writes Drive "<name>" is not encrypted. to stdout. If the final count is zero, it logs No unencrypted Core Storage volumes found. and exits cleanly.

Mac encryption audit requirements

• macOS endpoint with the Automox agent installed; the Worklet supports both Intel and Apple Silicon hardware on macOS 11 Big Sur through macOS 15 Sequoia

• diskutil command available at /usr/sbin/diskutil (ships with every macOS release; no additional install required)

• Root context for the Automox agent so diskutil info can read protected partition metadata (the agent runs as root by default)

• Target volumes mounted under /Volumes/ at the time the policy fires; unmounted disks and ejected media are not evaluated

• Read access to FileVault status; the Worklet does not require a Secure Token or a recovery key because it only reads disk metadata

• Optional pairing with the Enable FileVault Worklet or an MDM-delivered FileVault configuration profile to act on the audit findings

Expected output and follow-up after the audit

On a fully encrypted endpoint, the Activity Log shows a single line: No unencrypted Core Storage volumes found. The Worklet still reports as remediated because the evaluation script intentionally exits 1; this is the correct steady state for a read-only audit. Treat that message as a pass for the policy run and capture it in your compliance evidence.

On a non-compliant endpoint, the Activity Log lists each unencrypted drive by its mount name. Common findings include external USB backups, Time Machine drives that were formatted without encryption, USB-C SSDs used for project data, and secondary internal partitions on Mac Pro and Mac Studio workstations. Cross-reference each drive name with the endpoint inventory to decide whether to enable FileVault on the volume, replace the drive with an encrypted one, or remove the unencrypted media from the endpoint.

Validate a remediation by re-running the Worklet after enabling FileVault on the flagged volume. You can also run diskutil apfs list (for APFS containers) and diskutil cs list (for legacy Core Storage volumes) locally and confirm each entry reports Encrypted: Yes. For audit evidence, export the Worklet run history from Automox, filter by this policy, and store the per-endpoint stdout alongside your control documentation. Schedule the Worklet weekly on a recurring policy so new drives plugged in between audits surface on the next run.