Citrix Endpoint Management

FileVault device policy

The macOS FileVault full-disk encryption (FileVault 2) feature protects the system volume by encrypting its contents. With FileVault enabled on a macOS device, a user logs in with their account password each time that the device starts. If the user loses their password, a recovery key enables them to unlock the disk and reset their password.

This device policy enables FileVault user setup screens and configures settings such as recovery keys. For more information about FileVault, see the Apple support site.

To add the FileVault policy, go to Configure > Device Policies.

macOS settings

Device policies configuration screen

  • Enable FileVault: If On, prompts the user to enable FileVault during the next N logouts, as specified by the option Maximum times to skip FileVault setup. If Off, the FileVault password prompt doesn’t appear.
  • Prompt for FileVault setup during logout: If On, users see a prompt asking them to enable FileVault when they log out.
  • Maximum times to skip FileVault setup: The maximum number of times that the user can skip FileVault setup. When the user reaches the maximum, the user must set up FileVault to log in. If 0, the user must enable FileVault during the first login attempt. Default is 0.
  • Recovery key type: A user who forgets their password can type a recovery key to unlock the disk and reset their password. Recovery key options:

    • Personal recovery key: A personal recovery key is unique to a user. During FileVault setup, a user chooses whether to create a recovery key or to allow their iCloud account to unlock their disk. To show the recovery key to the user after FileVault setup completes, enable Show personal recovery key. Showing the key enables the user to record the key for future use. For information about recovery key management, see the Apple support site. You can also rotate personal recovery keys through security actions. For more information on rotating personal recovery keys, see Security actions.

    • Institutional recovery key: You can create an institutional (or master) recovery key and FileVault certificate, which you then use to unlock user devices. For information, see the Apple support site. Use Endpoint Management to deploy the FileVault certificate to devices. For information, see Certificates and authentication.

    • Personal & institutional recovery key: By enabling both types of recovery keys, you must unlock a user device only if the user loses their personal recovery key.

  • Institutional recovery key certificate: If you select Institutional recovery key or Personal & Institutional recovery key as the Recovery key type, select the recovery key certificate for that key.

  • Show personal recovery key: If On, the user device shows the personal recovery key to the user after setting up FileVault. Defaults to Off.

FileVault user screen

  • Escrow personal recovery key: Store the personal recovery key for each device. You can access the key from the device details page. Users can view their recovery key from the Self-Help Portal if you enable this setting and the Display personal recovery key to user setting. For more information about the Self-Help Portal, see To enable an enrollment mode on the Self-Help Portal. You can enable the Escrow personal recovery key setting even if you don’t enable the FileVault setting.

FileVault key displayed in the Self-Help Portal

FileVault device policy