Enforcing FileVault with Kandji

Learn how Kandji is able to deploy, monitor, and manage FileVault on macOS devices.

About FileVault & Recovery Keys

FileVault is a built-in feature of macOS that encrypts the boot drive using the Administrator account passwords. During set up, FileVault generates a Recovery Key, allowing an additional method of access to the drive should the password be forgotten. Learn more about how FileVault secures your Mac devices and changes login behavior here.

Parameter: Enable FileVault 2

The Enable FileVault 2 Parameter will enforce all enrolled macOS devices to enable FileVault disk encryption. Mac devices will be prompted to restart to complete the FileVault setup.

Parameter option: Show Recovery Key to the user while enabling FileVault

Enable this option to display the recovery key to your users during FileVault setup for their records.

If FileVault has already been enabled before the device is enrolled into Kandji, the key will not be captured by enabling this parameter. You will need to also turn on the escrow FileVault recovery key Parameter.

Parameter: Escrow FileVault Recovery Keys to Kandji

By enabling this Parameter, newly created FileVault recovery keys will be captured by Kandji during FileVault setup. The FileVault key can be found inside the Mac computer record in the Kandji Web App by clicking the more  (...) button and clicking View FileVault Recovery Key

You can learn more in our guide to ensure proper FileVault Recovery Key Capture.


You can force the mac to generate a new FileVault recovery key by running the following command on any Mac via Terminal. Kandji will then capture the newly generated key if the escrow Parameter is enabled.

sudo fdesetup changerecovery -personal

Parameter: Report user accounts with FileVault Recovery Keys escrowed to iCloud

macOS allows users to store Recovery Keys with your iCloud account. This is not recommended for enterprise-owned Mac devices, as it's possible that keys can be retrieved by an unknown party. Use this parameter to be alerted if a Recovery Key is stored in iCloud. This alert is a helpful reminder to pair with the user to remove the recovery key from their iCloud account.

FileVault Key Regeneration

Once you have enabled the Escrow Recovery FileVault Keys to Kandji any Mac that enrolls into Kandji that previously had FileVault enabled the Kandji Agent will automatically prompt your end-users to regenerate their FileVault Key so it can be escrowed. Similar to the Enable FileVault 2 Parameter, you can choose to show or hide the Recovery Key during this process.



End-users will be prompted to authenticate with their FileVault Credentials as shown below. Authentication and end user interaction is required due to the nature of how FileVault works. 

The list of usernames is automatically populated with all FileVault Enabled users, if the currently logged in user is FileVault enabled that username is chosen by default, otherwise the next available FileVault user is selected.

If a none FileVault enabled username is entered, an error will be displayed. 




Key Regeneration: Once the end-user has successfully authenticated, the FileVault Key will be regenerated and shown/hidden based on your parameter configuration, as shown below. 




Accessibility View: If you have chosen to display the FileVault recovery key as part of the regeneration process, the end-user can click on the Recovery Key to have it shown in a large accessible format.