FileVault device policy

The macOS FileVault Disk Encryption feature protects the system volume by encrypting its contents. With FileVault enabled on a macOS device, a user logs in with their account password each time that the device starts. If the user loses their password, a recovery key enables them to unlock the disk and reset their password.

The Endpoint Management device policy, FileVault, enables FileVault user setup screens and configures settings such as recovery keys. For more information about FileVault, see the Apple support article, https://support.apple.com/en-us/HT204837.

To add the FileVault policy, go to Configure > Device Policies.

macOS settings

Image of Device Policies configuration screen

  • Prompt for FileVault setup during logout: If ON, prompts the user to enable FileVault during the next N logouts, as specified by the option, Maximum times to skip FileVault setup. If OFF, the FileVault password prompt doesn’t appear.

After you deploy the FileVault policy with this setting on, the following screen appears when a user signs off the device. The screen gives the user the option to enable FileVault before signing off.

Image of FileVault user screen

If the Maximum times to skip FileVault setup value isn’t 0: After you deploy the FileVault policy with this setting off and then the user signs on, the following screen appears.

Image of FileVault user screen

If the Maximum times to skip FileVault setup value is 0 or the user has skipped setup the maximum number of times, the following screen appears.

Image of FileVault user screen

  • Maximum times to skip FileVault setup: The maximum number of times that the user can skip FileVault setup. When the user reaches the maximum, the user must set up FileVault to log in. If 0, the user must enable FileVault during the first login attempt. Default is 0.
  • Recovery key type: A user who forgets their password can type a recovery key to unlock the disk and reset their password. Recovery key options:

    • Personal recovery key: A personal recovery key is unique to a user. During FileVault setup, a user chooses whether to create a recovery key or to allow their iCloud account to unlock their disk. To show the recovery key to the user after FileVault setup completes, enable Show personal recovery key. Showing the key enables the user to record the key for future use. For information about recovery key management, see the Apple support article, https://support.apple.com/en-us/HT204837.

    • Institutional recovery key: You can create an institutional (or master) recovery key and FileVault certificate, which you then use to unlock devices. For information, see the Apple support article, https://support.apple.com/en-us/HT202385. Use Endpoint Management to deploy the FileVault certificate to devices. For information, see Certificates and authentication.

    • Personal & institutional recovery key: By enabling both types of recovery keys, you must unlock a user device only if the user loses their personal recovery key.

  • Show personal recovery key: If ON, shows the personal recovery key to the user after enabling FileVault on the device. Defaults to ON.

Image of FileVault user screen

FileVault device policy

In this article