Report user accounts with FileVault Recovery Keys escrowed to iCloud

By Emalee Firestein

Learn how to pair with an end user to remove the recovery key from their iCloud account.

About using iCloud to unlock FileVault

macOS allows users to store Recovery Keys with their iCloud account. This is not recommended for enterprise-owned Mac devices, as it's possible that keys can be retrieved by an unknown party. This parameter raises an alert if a Recovery Key is stored in iCloud, a reminder to pair with the user and follow the steps below to remove the recovery key from their iCloud account. 

Report user accounts with FileVault Recovery Keys escrowed to iCloud

Remove the FileVault library item

Remove FileVault library item assignment from the Mac with the following steps:

  1. Duplicate the Blueprint assigned to the computer.
  2. Remove the FileVault library item assignment from the new Blueprint.
  3. Change the Blueprint assignment for the Mac to the new Blueprint, triggering the removal of the FileVault profile.
  4. Once the FileVault profile has been removed, in System Preferences on the Mac, turn off FileVault encryption.
  5. If present, remove the following file locally within the home directory of the associated iCloud user:
~/Library/Preferences/com.apple.preference.security.plist

Reassign the FileVault library item

  1. Change the Blueprint assignment for the computer to the previous Blueprint, which triggers a reinstall of the FileVault profile.
  2. As enforced by your library item, FileVault should now be turned on, and the iCloud account may no longer be used to unlock the disk.

Note: Depending on your FileVault enforcement settings, a forced restart of the Mac or reminder that the end-user restart to enforce FileVault encryption may be triggered when the FileVault library item is reassigned.