Report user accounts with FileVault Recovery Keys escrowed to iCloud

By Declan Alleyne

Learn how to help an end user remove a FileVault Recovery Key from their iCloud account

About using iCloud to unlock FileVault

macOS allows users to store Recovery Keys with their iCloud account. This is not recommended for enterprise-owned Mac devices, as it's possible that an unknown party can retrieve keys. This parameter raises an alert if a Recovery Key is stored in iCloud, a reminder to pair with the user and follow the steps below to remove the recovery key from their iCloud account. 

Report user accounts with FileVault Recovery Keys escrowed to iCloud

Remove the FileVault library item

Remove the FileVault library item assignment from the Mac with the following steps:

  1. Use a rule in your Assignment Map to exclude the Mac from getting the FileVault Library Item installed. If you are using a Classic Blueprint, move the device to a Blueprint that doesn't have the FileVault Library Item assigned.
  2. Once the FileVault profile has been removed from the Mac, launch System Settings and turn off FileVault encryption.
  3. If present, remove the following file locally within the home directory of the associated iCloud user:
~/Library/Preferences/com.apple.preference.security.plist

Reassign the FileVault library item

Depending on your FileVault enforcement settings, a forced restart of the Mac or reminder that the end user must restart to enforce FileVault encryption may be triggered when the FileVault library item is reassigned.
  1. Change the rule in your Assignment Map to include the Mac again, which will trigger a reinstall of the FileVault profile. If you are using a Classic Blueprint, move the device back to the Blueprint with FileVault Library Item assigned.
  2. As enforced by your library item, FileVault should now be turned on, and the iCloud account may no longer be used to unlock the disk.