The GoLive page for a device gives you direct control over that single machine in real-time. One of the many features available in a GoLive session is the ability to enable FileVault encryption.
Please note: FileVault now requires User Approved MDM (UAMDM).
Step 1: Navigate to the Devices page from the left column menu. In this example, we'll be using the device "Tingle".
Step 2: Click the GoLive link.
The GoLive session will then launch.
Step 3: Click Security
Step 4: Click Enable
This will bring up a modal window with a few options on how to enable FileVault.
Option 1: You don't know the password of the user on the device. This will do deferred enablement and ask the user to input their password whenever they next log in to the device. You could also toggle the prompt for restart if you would like to notify the end-user to restart the machine after the deferred enablement command runs, thus starting the encryption process sooner.
Option 2: You know the username and password of the user you want to add to the FileVault. This is the least invasive method, as the user instantly gets added to the FileVault and encryption starts right away.
Note: Option 2 is not available for Catalina and above, and will not appear in the modal window. This is because it is not possible to bypass deferred enablement on these macOS versions.
After you press Enable, the device will attempt to enable FileVault on the machine and then escrow the recovery keys into Addigy. If any errors occur you'll see them appear on the screen.
Note: the end-user does not have the ability to stop the FileVault process. If you need to halt the process, you will need to run this command before the encryption begins.
For information on disabling FileVault after the encryption process has been completed, please reference our article Decrypting Devices with FileVault.
Note: For Catalina devices, you must log out in order to see the prompt to "Enable FileVault". Rebooting the device or Shutting Down will not prompt as it did in previous versions of macOS.
Only users with SecureToken enabled will be able to decrypt a device that has FileVault enabled. Users without SecureToken will not appear as options at the FileVault login window.