Description
FileVault is the native encryption capability built into Mac computers. Enabling it with Jamf Pro makes computers require a user's credentials to complete the boot process, ensuring that data in your environment is secure. Additionally, after a computer activates FileVault and escrows its recovery key with Jamf Pro, you can use that key to reset user passwords and access macOS recovery if needed.
This article will provide steps for enabling FileVault using a Jamf Pro configuration profile. If FileVault is already enabled on the computer, but the Personal Recovery Key is not showing in Jamf after two inventory submissions, see FileVault Personal Recovery Key is Not Showing in Jamf Pro.
Enabling FileVault With Your Configuration Profile
Check to see if the end user has a secure token using one of the methods below. If they do not, follow the steps in Grant Secure Token to Enable FileVault before completing the rest of this article.
Check the FileVault 2 Enabled users field in the device record under Inventory > Disk Encryption
Run the following command in Terminal on the device:
sudo fdesetup list -extended
Create the configuration profile in Jamf Pro following the steps below:
Go to Computers > Configuration Profiles > New and give the configuration profile a name.
Click on the Security & Privacy payload and select Configure.
Click the FileVault tab and move the toggle to Include for "Enable FileVault".
Adjust the 'Event to prompt FileVault enablement' as needed.
"Personal Recovery Key" will be the default option. Apple no longer recommends institutional recovery keys, more info can be found here.
Click to Include "Escrow Personal Recovery Key" which will store the Recovery Key in Jamf in the computer's inventory record.
Enable other settings in the payload as desired.
Add test computer to the Scope of the configuration profile and hit Save.
The encryption process will start when the FileVault profile is installed on the computer and the event to prompt selected in step 2 is met.
After the computer is encrypted and has updated Inventory, the Recovery Key will be escrowed in Jamf under the computer's inventory record in Inventory > Disk Encryption.