Create FileVault 2 profile for macOS
With this profile, you can encrypt the start volume of your users’ macOS devices. FileVault 2 volume encryption uses XTS-AES-128-encryption with a 256 bit key, to prevent unauthorised access to data on the drive. Additionally, find out how you can restore data encrypted by FileVault, if your users are unable to log on to their Macs.
If a user forgets the login password for his encrypted macOS device, a recovery key will be required to decrypt it. This recovery key can be created separately by each user on his device.
Alternatively, you can generate a single recovery key for all managed macOS devices and use the console to distribute it to the users’ devices. To do this, follow the procedure described here: https://support.apple.com/en-us/HT202385
Note! This option is not available for devices that have been embedded via User Enrollment.
- Select in the Cortado management console under Control Panel→ Profiles→ macOS→ FileVault 2 as the profile you wish to add. The following dialogue will open:
Make the following settings:
- Profile name: Specify a name for the profile.
- Enable: If you want to disable FileVault for your users, set this option to Off.
- Defer: Select this option, to defer enabling FileVault until the designated user logs out.
- Force max bypass attempts: When using the Defer option you can optionally set this key to the maximum number of times the user can bypass enabling FileVault before it will require that it be enabled before the user can log in. If set to 0, it will always prompt to enable FileVault until it is enabled, though it will allow you to bypass enabling it. Setting this key to 1 will disable this feature.
- If you use personal recovery keys:
- Use recovery key: Keep this setting, to create a personal recovery key.
- Show recovery key: Deactivate this checkbox, to not display the personal recovery key to the user after FileVault is enabled. This allows the user to save the key for future use.
- Output path: Path to the location where the recovery key and computer information plist will be stored.
- If you use institutional recovery key:
- Certificate: Firstly, create a certificate profile (see the section Certificates). Upload the institutional recovery key (DER encoded certificate) there under Use single certificate Then select this certificate profile here.
- Use keychain: If no certificate information is provided in this payload, the keychain already created at /Library/Keychains/FileVaultMaster.keychain will be used when the institutional recovery key is added.
- User enters missing info: If you enable this checkbox, then when the profile is being installed, missing fields for the user name or the password will be requested.
- Username: Enter the user’s user name here if you are assigning the profile to a single user.
- Password: Enter the user’s user password here if you are assigning the profile to a single user. Alternatively, enable the User enters missing info checkbox.
You’ll find out here how to distribute the new profile (see section Assign profile).