Enabling or disabling encryption on a macOS device

You can encrypt macOS devices using FileVault 2. FileVault 2 can be used to perform full XTS-AES 128 encryption on the contents of a volume. Ivanti EPMM enables you to create FileVault 2 policies that you can use to control the encryption of managed macOS devices. You can apply a single FileValut 2 policy to a device.

The FileVault 2 policy also includes recovery keys. Users can employ recovery keys to unlock the disk, in case they forget the password for that purpose.

There are two types of recovery keys:

  • Personal recovery key: FileVault 2 automatically generates a personal recovery key at the time of encryption. A personal key is unique to the machine being encrypted. If an encrypted macOS is decrypted and then re-encrypted, the existing personal recovery key is invalid. FileVault 2 would then generate a new personal recovery key during re-encryption.
  • Institutional recovery key: An institutional recovery key is used for the same purpose as a personal recovery key, but is the same for all macOS devices within an organization. You can use FileVault 2 to generate and install an institutional recovery key to your system before enabling encryption. This common key is used to unlock any managed, encrypted macOS device.

FileVault 2 policies are supported on devices running macOS 10.10 or supported newer versions.


  1. Select Policies & Configs > Policies.
  2. Select Add New > iOS and macOS > macOS > FileVault 2.
  3. Use the guidelines in the table below to complete this form.
  1. Select Save.

  2. Apply the policy to a macOS label.

Table 1. FileVault2 Guidelines




Enter a name for the policy.


Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.


Specifies the priority of this policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.


Enter an explanation of the purpose of this policy.

Enable FileVault 2

Select to enable encryption.

FileVault User Settings

Defer FileVault until the designated user logs out:

Enable FileVault at SetupAssist

The Enable FileVault at SetupAssist helps to encrypt the device before the user logs in.

Note: For FileVault to be enabled at SetupAssist, Await Device Configuration needs to be enabled in the automated Enrollment Profile.

For ADE enrolled devices, this option the system also ignores all other keys in this payload, except for Show Recovery Key

Always prompt user to enable FileVault

Select to prompt the user to enable FileVault on the macOS device. The user sees the prompt when logging in to the macOS device. When selecting this option, users cannot bypass enabling the encryption option.

Maximum number of times a user can bypass enabling FileVault

Select to configure a limit to the number of times the user can ignore the prompt to enable FileVault.

Select up or down to select the maximum number of times.

The user sees the prompt when logging in to the macOS device. When selecting this option, users can choose to skip enabling the encryption option as many times as specified here.

Do not request enabling FileVault at user logout time

Select so that users are not prompted to enable FileVault when they are trying to log out of the device.

Output Path

Enter the path to which the recovery key .plist file will be stored.

For example:


Personal Recovery Key

Create a personal recovery key

Select to create a personal recovery key. A personal recovery key will be generated when encryption (FileVault) is enabled.

This private key can be used later to unlock the startup disk of the specific macOS device, in case the device user name and password are not available to unlock the device.

Institutional Recovery Key

Enable institutional recovery key

Select to enable an institutional recovery key.

The institutional recovery key can be used to unlock the startup disk of any macOS device that uses the same FileVault 2 master keychain.

The keychain should be available at the following location before enabling FileVault 2 on the macOS device:



Enter your certificate information. If you selected Enable institutional recovery key without entering a certificate, then the master keychain (/Library/Keychains/FileVaultMaster.keychain) is used when the institutional recovery key is added.

Next Steps

You can verify that encryption is enabled on a given device by checking the device details for that device. Select Devices & Users > Devices, and select the carat (^) next to the relevant macOS device. In the Device Details tab, look for the following fields:

  • Full Disk Encryption Enabled
  • Full Disk Encryption Has Institutional Recovery Key
  • Full Disk Encryption Has Personal Recovery Key