Configuring FileVault

By Vicky Munsell

Learn how to deploy, monitor, and manage FileVault on macOS devices

About FileVault & Recovery Keys

FileVault is a built-in feature of macOS that encrypts the boot drive. During setup, FileVault generates a Recovery Key, allowing an additional method of access to the drive should all FileVault enabled users' passwords be forgotten.

  • Learn more about how FileVault secures your Mac devices and changes login behavior.
  • Learn how to leverage the FileVault Recovery Key to reset a user's password.
  • Learn about the User Experience with FileVault.

Library Item: FileVault

The FileVault 2 library item will enforce all enrolled macOS devices to enable FileVault disk encryption. Mac devices will be prompted to complete FileVault setup upon restart.

Library Item Options

  1. FileVault Enforcement: This drop-down offers the following two selections
    1. Enforce immediately upon next login (Recommended)
      Selecting this option will require FileVault to be enabled immediately at the next login. 
      1. When selecting this option, a second option will appear to Enforce during Setup Assistant for Automated Device Enrollment. When this option is selected, for macOS Sonoma and later, Kandji will attempt to enforce that FileVault is turned on during Setup Assistant for Automated Device Enrollment. If successful, no restart will be required by the user once they get to the Desktop.
    2. Allow user deferral before enforcing (Not Recommended)
      Selecting this option will hide the Prompt for restart if FileVault is not enabled option and instead show a User Deferral drop-down, allowing you to select how many login attempts can be made before FileVault is enabled.
  2. Enforce during Setup Assistant for Automated Device Enrollment (macOS 14+) (Recommended)
    Selecting this option will attempt to enforce FileVault during the Setup Assistant for devices running macOS 14+ that enroll using Automated Device Enrollment. This selection will ignore a FileVault skip screen setting in the Automated Device Enrollment Library item.

  3. Prompt for restart if FileVault is not enabled (Recommended)
    Selecting this option will allow you to force, or request a restart to enable FileVault. The following two options are available from the drop-down.
    1. Force a restart after (Recommended)
      Selecting this option will force the user to restart after the specified amount of time. Upon the next login, the user will be forced to enable FileVault. 
    2. Remind to restart every... (Not Recommended)
      Selecting this option will allow you to remind the end user every x minutes to restart the Mac. Upon the next login, the user will be forced to enable FileVault.
  4. Number of Minutes drop-down:
    This drop-down allows you to specify how many minutes should pass before forcing a restart, or how frequently a user should be reminded to restart to enable FileVault. 
  5. Show the user the FileVault Recovery Key when it is generated:
    Selecting this option will show the end user the FileVault recovery key when it is enabled via the MDM profile. Or any time the Kandji Agent is required to regenerate the recovery key (Such as when migrating a previously FileVault Enabled device from another MDM solution) If you are escrowing your recovery keys to Kandji, we recommend disabling this option for security reasons.
  6. Escrow Recovery Keys to Kandji:
    Selecting this option will automatically escrow the FileVault Recovery key. Note that if you enable this option, the Kandji Agent will automatically prompt the end user on any device that already has a Recovery Key generated to regenerate its Recovery Key.
  7. Automatically rotate keys:
    Selecting this option will allow you to specify how frequently Kandji should rotate assigned devices FileVault Recovery Keys, this is done via the RotateFileVaultKey MDM command. 

View FileVault Recovery Keys

The FileVault key can be found inside the Mac computer record in the Kandji Web App by clicking the more (...) button and clicking View FileVault Recovery Key.

You can force the Mac to generate a new FileVault recovery key by running the following command on any Mac via Terminal. Kandji will then capture the newly generated key if the escrow option is enabled.

sudo fdesetup changerecovery -personal

Parameter: Report user accounts with FileVault Recovery Keys escrowed to iCloud

macOS allows users to store Recovery Keys with their iCloud account. This is not recommended for enterprise-owned Mac devices, as it's possible that keys can be retrieved by an unknown party. Use this parameter to be alerted if a Recovery Key is stored in iCloud. This alert is a helpful reminder to pair with the user to remove the recovery key from their iCloud account.

Encryption Status

With APFS volumes, only the Data volumes will show as Encrypted: Yes in the Volumes section of the Device Details. This is expected behavior.

The startup disk is always encrypted on Mac computers with the Apple T2 Security Chip or Apple Silicon, so FileVault encryption is nearly immediate. On other Mac computers, FileVault encryption can take longer depending on the amount of data, but it continues in the background.

User Experience with FileVault

If you have enabled the Escrow recovery keys to Kandji setting in your FileVault library item, any Mac that enrolls into Kandji that previously had FileVault enabled will automatically prompt your end users to regenerate their FileVault Key so it can be escrowed.

Please visit the User Experience with FileVault article for more information.