Using FileVault with Kandji

Learn how Kandji is able to deploy, monitor, and manage FileVault on macOS devices.

About FileVault & Recovery Keys

FileVault is a built in feature of macOS that encrypts the boot drive using the Administrator account passwords. When being setup, FileVault generates a Recovery Key, allowing another method of access the drive should the password be lost or forgotten. 

Learn more about how FileVault secures your Macs and changes login behavior here.

Enable FileVault 2

This parameter will force all enrolled macOS devices to enable FileVault disk encryption. Macs will be prompted to restart to complete the FileVault setup. 

Show Recovery Key to user while enabling FileVault

Enable this option to display the recovery key to your users during FileVault setup for their records.

Escrow FileVault Recovery Keys to Kandji

By enabling this parameter, FileVault recovery keys will be captured by Kandji during FileVault setup. The FileVault key can be found inside the Mac's records Kandji Dashboard by clicking the ellipsis (...) button and clicking "View FileVault Recovery Key" button

Note: If FileVault has already been enabled before the device is enrolled into Kandji, the key will not be captured by enabling this parameter. 

You can force FileVault to generate a new recovery key by running the following command on any Mac via Terminal. Kandji will then capture the newly generated key if the escrow parameter is enabled.  

sudo fdesetup changerecovery -personal

Report user accounts with FileVault Recovery Keys escrowed to iCloud

macOS allows users to store Recovery Keys with your iCloud account. This is not recommended for business owned Macs, as it's possible that keys can be retrieved by an unknown party. Use this parameter to be alerted if a Recovery Key is stored in iCloud.