Citrix Endpoint Management

FileVault device policy

The macOS FileVault full-disk encryption (FileVault 2) feature protects the system volume by encrypting its contents. A user logs in to a FileVault-enabled macOS device with their account password each time that the device starts. If the user loses their password, a recovery key enables them to unlock the disk and reset their password.

This device policy enables FileVault user setup screens and configures settings such as recovery keys. For more information about FileVault, see the Apple support site.

To add the FileVault policy, go to Configure > Device Policies.

macOS settings

Device policies configuration screen

  • Enable FileVault: If this setting is set as On, then it prompts the user to enable FileVault during the next N logouts as specified by the option Maximum times to skip FileVault setup. If Off, users don’t receive a prompt to enable FileVault, but they can still enable FileVault on their own.
  • Prompt for FileVault setup during logout: If On, users see a prompt asking them to enable FileVault when they log out.
  • Maximum times to skip FileVault setup: The maximum number of times that the user can skip FileVault setup. When the user reaches the maximum, the user must set up FileVault to log in. If 0, the user must enable FileVault during the first login attempt. Default is 0.
  • Recovery key type: A user who forgets their password can type a recovery key to unlock the disk and reset their password. Recovery key options:

    • Personal recovery key: A personal recovery key is unique to a user. During FileVault setup, a user chooses whether to create a recovery key or to allow their iCloud account to unlock their disk. To show the recovery key to the user after FileVault setup completes, enable Show personal recovery key. Showing the key enables the user to record the key for future use. To allow users to look up their key if they lose it, enable Escrow personal recovery key.

      You can rotate personal recovery keys through security actions. For more information on rotating personal recovery keys, see Security actions.

      For information about recovery key management, see the Apple support site.

    • Institutional recovery key: You can create an institutional (or main) recovery key and FileVault certificate, which you then use to unlock user devices. For information, see the Apple support site. Use Citrix Endpoint Management to deploy the FileVault certificate to devices. For information, see Certificates and authentication.

    • Personal & institutional recovery key: By enabling both types of recovery keys, you must unlock a user device only if the user loses their personal recovery key.

  • Institutional recovery key certificate: If you select Institutional recovery key or Personal & Institutional recovery key as the Recovery key type, select the recovery key certificate for that key.

  • Show personal recovery key: If On, the user device shows the personal recovery key to the user after setting up FileVault. Defaults to Off.

    FileVault user screen

  • Escrow personal recovery key: When enabled, users can store a copy of the personal recovery key for each device with Citrix Endpoint Management.

    FileVault prompt to store key

    To access the key from Citrix Endpoint Management, go to Manage > Devices, select the macOS device, and click Edit. Then, go to Device details > General and locate the Personal recovery Key.

    To allow users to view their recovery key from the Self-Help Portal, enable Escrow personal recovery key and Display personal recovery key to user. The key appears in the Self-Help Portal on the Properties page under Security information. For more information about the Self-Help Portal, see Self-Help Portal.

    FileVault key displayed in the Self-Help Portal

    You can enable the Escrow personal recovery key setting even if you don’t enable the Enable FileVault setting. If you disable the Enable FileVault setting, users can still enable FileVault on their own. In this situation, enable Escrow personal recovery key to allow users to store a copy of their key with Citrix Endpoint Management.

    If a user enables FileVault before enrolling the device in Citrix Endpoint Management, Citrix Endpoint Management doesn’t store their recovery key. The device shows up as FileVault-enabled in the console.

FileVault device policy