There are times when you may need to disable FileVault on a managed device — for example, when re-enabling it through Addigy to ensure the recovery key is escrowed in the Addigy platform. The steps below cover both unmanaged and MDM-managed FileVault configurations.
Method 1: Disable FileVault via LiveTerminal
Use this method if FileVault was not enabled via an MDM configuration (Device Setting). You will need an active LiveTerminal session on the device and credentials for a user who is authorized to lock and unlock the disk.
- Open a LiveTerminal session to the target device.
- Run the following command:
sudo fdesetup disable
-
When prompted, enter the username of an authorized user.
-
When prompted, enter that user's password.
-
Once the credentials are accepted, decryption will begin. You will see a
FileVault has been disabled.confirmation in the terminal output.
Note: Decryption runs in the background after the command completes and may take some time to finish depending on the size of the disk.
Method 2: Disable FileVault Managed via MDM
If FileVault is enforced by an MDM configuration (Device Setting), the profile must be removed from the device before decryption can occur. Refer to the appropriate article below based on how the profile was deployed:
- Deployed via GoLive: Removing a Device Setting That Was Deployed via GoLive
- Deployed via Policy: Adding and Removing Items from a Policy
Once the profile has been removed, follow the LiveTerminal steps above to complete decryption.