Skip to main content

Managing FileVault with Jamf School

Updated over 3 weeks ago

Description

FileVault encodes the data on your startup disk so that unauthorized users can’t access your information. We can use a profile from Jamf School to enable FileVault and escrow the key in Jamf School, where it can be retrieved and used as a last resort if needed in the future to unlock the encrypted disk (for example, if the user forgets their password).

Please take the following into account:

  • Jamf School cannot escrow a recovery key if the Jamf School recovery key escrow profile is not installed on the computer at the time the recovery key is created.

  • A device can only have one profile with the FileVault recovery key escrow associated with it.

  • The end user must be a secure token holder in order to enable FileVault.

Creating a FileVault Profile In Jamf School

  1. In Jamf School, go to Profiles > Overview.

  2. Click + Create Profile.

  3. Select macOS and Device Enrollment. Click Next.

  4. Give the profile a name and click Next.

  5. Click Finish.

  6. Select FileVault from the list of payloads and click Configure.

  7. Check the box for enable FileVault.

  8. Select Create a personal recovery key.

  9. (Optional) Select options in the Deferred enablement and Hibernation sections as desired.

  10. Check the box to Enable Personal Recovery Key Escrow.

  11. Compose a message to be displayed to the user.

  12. Click Save.

  13. Adjust the scope of the profile. We recommend starting with a group of test devices.


Encrypting Managed Computers and Escrowing the Personal Recovery Key

After the profile has installed, the end user will be prompted to enable FileVault by entering in their password.

  • The recovery key is returned to Jamf School as part of the security information of a device. You may need to refresh device details before retrieving the personal recovery key. Check the Activity Log for the 'Refresh security info' action.


Finding the Personal Recovery Key in Jamf School

When the recovery key is needed:

  1. Open the device record in Jamf School by going to Devices > Inventory and click on the device.

  2. Click Retrieve personal key under the FileVault heading to decrypt the personal recovery key and display it.

More Resources

Did this answer your question?