FileVault is a built in feature of macOS that encrypts the boot drive using the Administrator account passwords. When being setup, FileVault generates a Recovery Key, allowing another method of access the drive should the password be lost or forgotten.
Learn more about how FileVault secures your Macs and changes login behavior here.
This parameter will force all enrolled macOS devices to enable FileVault disk encryption. Macs will be prompted to restart to complete the FileVault setup.
Enable this option to display the recovery key to your users during FileVault setup for their records.
By enabling this parameter, FileVault recovery keys will be captured by Kandji during FileVault setup. The FileVault key can be found inside the Mac's records Kandji Dashboard by clicking the ellipsis (...) button and clicking "View FileVault Recovery Key" button
Note: If FileVault has already been enabled before the device is enrolled into Kandji, the key will not be captured by enabling this parameter.
You can force FileVault to generate a new recovery key by running the following command on any Mac via Terminal. Kandji will then capture the newly generated key if the escrow parameter is enabled.
sudo fdesetup changerecovery -personal
macOS allows users to store Recovery Keys with your iCloud account. This is not recommended for business owned Macs, as it's possible that keys can be retrieved by an unknown party. Use this parameter to be alerted if a Recovery Key is stored in iCloud.