Storing and retrieving FileVault personal recovery keys in Ivanti EPMM (macOS)

The FileVault 2 Retrieve Personal Recovery Key setting allows you to store and retrieve personal recovery keys used to encrypt disk volumes with FileVault 2. Ivanti EPMM stores the personal recovery keys for each device in an encrypted form in its database.

When necessary, you can decrypt and display the key on your screen, allowing you to decrypt the associated macOS device.

This feature is supported on macOS 10.12 or supported newer versions.

When upgrading a macOS device from 10.12 to 10.13, you need to apply this setting to devices again. Do this by creating two policies with two different labels, one for devices running macOS 10.12, and another for devices running macOS 10.13.


  1. Select Policies & Configs > Policies.
  2. Select Add New > iOS and macOS > macOS Only > FileVault 2 Retrieve Personal Recovery Key.
  3. In the New FileVault 2 Retrieve Personal Recovery Key dialog box, use the guidelines to complete this form.
  4. Select Save.
  5. Apply the policy to a macOS label.





Enter a name for the policy.


Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.


Specifies the priority of this policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A higher priority than Policy B, you would select “Higher than” and “Policy B”.


Enter an explanation of the purpose of this policy.

Store Recovery Key to Ivanti EPMM

Enables the storage of the recovery key to Ivanti EPMM. This option is enabled by default when you create a FileVault 2 policy, and cannot be disabled.