Ensure All User Storage APFS Volumes Are Encrypted

What the APFS encryption enforcer does

This Automox Worklet™ scans macOS endpoints for user-created APFS storage volumes and evaluates whether FileVault encryption is enabled on each volume. The Worklet uses the diskutil command to enumerate all volumes marked with "No specific role" (indicating user-created containers) and checks the FileVault status for each one.

The Worklet flags any volumes where FileVault is not enabled, allowing you to identify endpoints that do not meet your data protection requirements. By running this Worklet regularly, you maintain visibility into encryption compliance across your macOS fleet.

Why encrypt user-created APFS volumes

Unencrypted volumes expose sensitive data to physical theft, unauthorized access, and compliance violations. When employees create custom storage partitions outside the system volume, those partitions may not inherit the protection of the primary system encryption.

Organizations subject to regulatory frameworks like HIPAA, PCI-DSS, SOC 2, and CIS Benchmarks require encryption on all data storage media. The Worklet ensures you meet these standards without manual auditing. You reduce your security risk posture by closing gaps where unencrypted user volumes could become attack vectors.

This Worklet supports your broader zero-trust and endpoint hardening strategy by enforcing consistent encryption policies across heterogeneous storage configurations.

How APFS volume encryption detection works

1. Evaluation phase: The Worklet lists all APFS containers using diskutil, filters for volumes with no specific role (user-created storage), and queries the FileVault encryption status of each volume using diskutil info.

2. Remediation phase: If any volume returns a FileVault status other than "Yes", the Worklet reports the unencrypted volume and exits with a non-compliance status, triggering your incident response or remediation workflow.

APFS encryption requirements

• macOS endpoints with APFS storage (10.13 High Sierra or later)

• User-created volumes or custom APFS containers present on the endpoint

• Local administrator or root privileges for diskutil access

• FileVault encryption capability available on the endpoint

Expected encryption compliance state

After remediation, all user-created APFS volumes on compliant endpoints show FileVault encryption status as "Yes" when queried with diskutil info. Endpoints with unencrypted volumes appear in your compliance dashboard with actionable remediation steps, allowing you to enable FileVault encryption on non-compliant volumes or retire the volumes if not needed.

You can verify compliance by running the Worklet in FixNow mode to get immediate results, or schedule it as a recurring policy to maintain continuous monitoring of your APFS encryption posture.

How to validate verify all user storage apfs volumes are encrypted changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for verify all user storage apfs volumes are encrypted.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for verify all user storage apfs volumes are encrypted. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.