1. Kandji Support
  2. Frequently Asked Questions

Why didn't Kandji capture a device's FileVault Recovery Key?

Learn how to ensure proper FileVault Recovery Key Capture.


Kandji can capture FileVault Recovery Keys to provide another method of authenticating a device should the user's password be forgotten. If Kandji has not captured the key, review these options below for possible reasons why.

Likely Causes

FileVault was enabled before the device was enrolled in Kandji. 
The Recovery Key is able to be captured when FileVault is being initially setup. If FileVault was already fully enabled before Kandji was enrolled, the key can not be captured. 

Fix: Manually disabling and re-enabling FileVault on the device will force a new Key to be generated, which Kandji will capture. Alternatively, the following command can be run to generate a new key without disabling FileVault: 

sudo fdesetup changerecovery -personal


The device hasn't completed enabling FileVault. 
Enabling FileVault requires a restart, re-authentication, and user approval on before the FileVault key is escrowed.

Fix: Ensure the device has completed all necessary steps to enable FileVault. Click on the Kandji icon in the device's menu bar to verify if a reboot is needed. Ensure the device is re-authenticated and accept the Enable FileVault prompt. Once complete, wait 15-30 minutes before checking the Kandji Web App for the Recovery Key.