Enforcing FileVault with Kandji

Learn how Kandji is able to deploy, monitor, and manage FileVault on macOS devices.

About FileVault & Recovery Keys

FileVault is a built-in feature of macOS that encrypts the boot drive using the Administrator account passwords. During set up, FileVault generates a Recovery Key, allowing an additional method of access to the drive should the password be forgotten. Learn more about how FileVault secures your Mac devices and changes login behavior here.

Parameter: Enable FileVault 2

This Parameter will enforce all enrolled macOS devices to enable FileVault disk encryption. Mac devices will be prompted to restart to complete the FileVault setup. 

Parameter: Show Recovery Key to the user while enabling FileVault

Enable this option to display the recovery key to your users during FileVault setup for their records.

Parameter: Escrow FileVault Recovery Keys to Kandji

By enabling this Parameter, newly created FileVault recovery keys will be captured by Kandji during FileVault setup. The FileVault key can be found inside the Mac's computer record in the Kandji Web App by clicking the more  (...) button and clicking View FileVault Recovery Key.


If FileVault has already been enabled before the device is enrolled into Kandji, the key will not be captured by enabling this parameter. 

You can force the mac to generate a new FileVault recovery key by running the following command on any Mac via Terminal. Kandji will then capture the newly generated key if the escrow Parameter is enabled.

sudo fdesetup changerecovery -personal

Parameter: Report user accounts with FileVault Recovery Keys escrowed to iCloud

MacOS allows users to store Recovery Keys with your iCloud account. This is not recommended for business owned Mac devices, as it's possible that keys can be retrieved by an unknown party. Use this parameter to be alerted if a Recovery Key is stored in iCloud. This alert is a helpful reminder to pair with the user to remove the recovery key from their iCloud account.