Configuring FileVault

By Vicky Munsell

Learn how to deploy, monitor, and manage FileVault on macOS devices

About FileVault & Recovery Keys

FileVault is a built-in feature of macOS that encrypts the boot drive. During setup, FileVault generates a Recovery Key, allowing an additional method of access to the drive should all FileVault enabled users' passwords be forgotten.

Learn more about how FileVault secures your Mac devices and changes login behavior.
Learn how to leverage the FileVault Recovery Key to reset a user's password.

Library Item: FileVault

The FileVault 2 library item will enforce all enrolled macOS devices to enable FileVault disk encryption. Mac devices will be prompted to complete FileVault setup upon restart.

Library Item Options

  1. FileVault Enforcement: This drop-down offers the following two selections
    1. Enforce immediately upon next login (Recommended)
      Selecting this option will require FileVault to be enabled immediately at the next login. 
    2. Allow user deferral before enforcing (Not Recommended)
      Selecting this option will hide the Prompt for restart if FileVault is not enabled option and instead show a User Deferral drop-down, allowing you to select how many login attempts can be made before FileVault is enabled.
  2. Prompt for restart if FileVault is not enabled (Recommended)
    Selecting this option will allow you to force, or request a restart to enable FileVault. The following two options are available from the drop-down.
    1. Force a restart after (Recommended)
      Selecting this option will force the user to restart after the specified amount of time. Upon the next login, the user will be forced to enable FileVault. 
    2. Remind to restart every... (Not Recommended)
      Selecting this option will allow you to remind the end user every x minutes to restart the Mac. Upon the next login, the user will be forced to enable FileVault.
  3. Number of Minutes drop-down:
    This drop-down allows you to specify how many minutes should pass before forcing a restart, or how frequently a user should be reminded to restart to enable FileVault. 
  4. Show the user the FileVault Recovery Key when it is generated:
    Selecting this option will show the end user the FileVault recovery key when it is enabled via the MDM profile. Or any time the Kandji Agent is required to regenerate the recovery key (Such as when migrating a previously FileVault Enabled device from another MDM solution)

    If you are escrowing your recovery keys to Kandji, we recommend disabling this option for security reasons.
  5. Escrow Recovery Keys to Kandji:
    Selecting this option will automatically escrow the FileVault Recovery key. Note that if you enable this option, the Kandji Agent will automatically prompt the end user on any device that already has a Recovery Key generated to regenerate its Recovery Key.
  6. Automatically rotate keys:
    Selecting this option will allow you to specify how frequently Kandji should rotate assigned devices FileVault Recovery Keys, this is done via the RotateFileVaultKey MDM command.

View FileVault Recovery Keys

The FileVault key can be found inside the Mac computer record in the Kandji Web App by clicking the more (...) button and clicking View FileVault Recovery Key.

You can force the Mac to generate a new FileVault recovery key by running the following command on any Mac via Terminal. Kandji will then capture the newly generated key if the escrow option is enabled.

sudo fdesetup changerecovery -personal

Parameter: Report user accounts with FileVault Recovery Keys escrowed to iCloud

macOS allows users to store Recovery Keys with their iCloud account. This is not recommended for enterprise-owned Mac devices, as it's possible that keys can be retrieved by an unknown party. Use this parameter to be alerted if a Recovery Key is stored in iCloud. This alert is a helpful reminder to pair with the user to remove the recovery key from their iCloud account.

FileVault Key Regeneration

If you have enabled the Escrow recovery keys to Kandji setting in your FileVault library item, any Mac that enrolls into Kandji that previously had FileVault enabled will automatically prompt your end users to regenerate their FileVault Key so it can be escrowed.


End users will be prompted to authenticate with their FileVault Credentials, as shown below. Authentication and end user interaction are required due to the nature of how FileVault works.

The list of usernames is automatically populated with all FileVault Enabled users. If the currently logged-in user is FileVault enabled, that username is chosen by default. Otherwise, the next available FileVault user is selected.

If no FileVault-enabled username is entered, an error will be displayed.

Key Regeneration: Once the end user has successfully authenticated, the FileVault Key will be regenerated and shown/hidden based on your parameter configuration, as shown below.

Accessibility View: If you have chosen to display the FileVault recovery key as part of the regeneration process, the end user can click on the Recovery Key to have it shown in a large accessible format.