The GoLive page for a device gives you direct control over that single machine in real-time. One of the many features available in a GoLive session is the ability to enable FileVault encryption.
Note: FileVault requires User-Approved MDM (UAMDM).
Enabling FileVault via GoLive
- Navigate to the Devices page.
- Click the GoLive link or device name to access the GoLive page for that device.
- Click the Security tab:
- In the FileVault Encryption section, click Enable:
- A modal window will appear confirming how to enable FileVault.
Note: For Mojave and older OS versions, there are two options to enable FileVault, depending on whether a username and password of a user with a Secure Token is known.
- Option 1: You don't know the password of the user on the device. This will do deferred enablement and ask the user to input their password whenever they next log in to the device. You could also toggle the prompt for restart if you would like to notify the end-user to restart the machine after the deferred enablement command runs, thus starting the encryption process sooner.
- Option 2: You know the username and password of the user you want to add to the FileVault. This is the least invasive method, as the user instantly gets added to the FileVault and encryption starts right away. Option 2 is not available for Catalina and newer OS versions, and will not appear in the modal window. This is because it is not possible to bypass deferred enablement on these macOS versions.
- Select Enable. the device will attempt to enable FileVault on the machine and then escrow the recovery keys into Addigy. If any errors occur, they will appear on the screen.
Note: the end-user does not have the ability to stop the FileVault process. If you need to halt the process, you will need to run this command before the encryption begins.
- For information on disabling FileVault after the encryption process has been completed, please reference our article Decrypting Devices with FileVault.
- Note: For Catalina devices, you must log out in order to see the prompt to "Enable FileVault". Rebooting the device or Shutting Down will not prompt as it did in previous versions of macOS.
- Only users with SecureToken enabled will be able to decrypt a device that has FileVault enabled. Users without SecureToken will not appear as options at the FileVault login window.
- For information on how to troubleshoot FileVault, please see the following Knowledge Base article: Troubleshooting FileVault Enablement