Skip to main content
  1. Addigy
  2. Catalog
  3. OS Users

Enforcing FileVault with Addigy MDM

Updated:

Apple’s FileVault 2 disk encryption helps protect data on your Macs by encrypting the startup disk so only authorized users can access it. With Addigy MDM, you can enforce FileVault at scale, escrow recovery keys, and standardize encryption settings across your devices. 

Overview

Using an MDM payload for FileVault lets you turn on disk encryption remotely, define the user experience, and securely store recovery keys in Addigy for future use. This approach is designed for organizations that need consistent, auditable encryption across many Macs, such as MSPs and security‑conscious IT teams. 

  • Enforce FileVault automatically based on the policies you assign to devices.
  • Escrow personal recovery keys (PRKs) to Addigy so authorized admins can recover data if a password is lost. 
  • Monitor which devices are encrypted, pending encryption, or failing to encrypt, and take action as needed. 

Prerequisites

Before you configure FileVault with Addigy MDM, make sure the following requirements are met.

  • Addigy MDM is enabled for the policy/devices where you want to enforce FileVault. 
  • Devices meet Apple’s FileVault requirements (supported macOS version and appropriate disk configuration). 
  • At least one user on the device has a Secure Token so they can complete deferred enablement.

How to Create the FileVault Payload

Create a FileVault configuration profile to define your encryption settings and recovery key behavior, then deploy it via a policy. 

  1. Navigate to Catalog in your Addigy environment. 
  2. Click the Device Settings section. 
  3. Click New to create a new profile. 
  4. Select Security & Privacy as the profile type. 
  5. Go to the FileVault tab. 
  6. Enable Enable FileVault to turn on FileVault enforcement for targeted devices. 
  7. (Recommended) Enable Escrow Personal Recovery Key so Addigy securely stores the PRK for each device. 
  8. Configure any additional options such as:
    • Force enable in Setup Assistant. 
    • How many times the user can defer enabling FileVault.
  9. Click Create Profile to save the profile to your Catalog. 
  10. Assign the profile to the policy or policies that include the devices you want to encrypt.

Note: Make sure the Device Setting is actively deployed to the correct policy; FileVault will not start if the profile is not present on the device.

Completing FileVault Enablement (Deferred Enablement)

After the FileVault Device Setting is installed, devices enter a state of deferred enablement, meaning FileVault will begin encrypting only after a Secure Token user logs out and back in. 

  1. Once the profile is on the device, confirm its FileVault status by running fdesetup status from a device’s GoLive page (Scripts tab) or from the Devices page on multiple devices.
  2. Identify the user listed for deferred enablement; this Secure Token user must complete the logout and login process to start encryption.
  3. Have that user log out of their macOS session. Logging out, not restarting, triggers the deferred enablement prompt. 
  4. When prompted, the user enters their credentials to confirm FileVault enablement, then logs back in to begin encryption. 
  5. After encryption begins, you can continue to monitor status using fdesetup status or your FileVault reporting in Addigy. 

Please see FAQ: Troubleshooting FileVault for more information. 

Note: Restarting the Mac does not start the deferred enablement process. Users must perform a full logout and login to trigger the FileVault prompt.

FileVault End User Experience

When a user in deferred enablement logs out, they will see the following prompt: 

To add this user to FileVault, enter the password for "username."

At this screen, the user must enter their password to enable FileVault. 

If the user selects Cancel, they will return to the native macOS login window and remain in deferred enablement - FileVault will not be enabled. It is important to inform your end users that they must enter their password at this screen to complete the FileVault enablement process. 

After entering their password, FileVault enablement will begin. 

If the Display personal recovery key to user setting has not been disabled in your FileVault Device Setting, the Recovery Key will then be displayed to the end user. If you have not configured your FileVault Device Setting to Escrow Personal Recovery Keys to Addigy, instruct your end users to save their Recovery Key in a safe place. 

Finally, the end-user will arrive at the native macOS login window where they should enter their password once more to complete the process. 

At this point, fdesetup status command will now return FileVault is On.

Note: See Addigy Identity End User Experience for expected behavior when FileVault and Addigy Identity are enabled on a device. 

Accessing Personal Recovery Keys in Addigy

If Escrow Personal Recovery Key is enabled in your FileVault configuration, each device generates a PRK and securely sends it to Addigy. You can then retrieve the key in case a user forgets their password or a device needs recovery.

Individual Devices

  1. Open the device in GoLive.
  2. Navigate to the Security > FileVault Encryption tab within GoLive.
  3. Locate the Personal Recovery Key (PRK) for that device, if it has been reported.
  4. If the key does not appear immediately, allow some time for the device to report its encryption state and upload the PRK.

In Bulk

You can export a CSV of FileVault escrowed keys from the Devices page. See Device Codes in Addigy for more information. 

Note: Treat PRKs as highly sensitive information and restrict access to authorized admins only, in line with your security and compliance requirements.

Frequently Asked Questions

Why is FileVault showing as “off” even though I deployed the Device Setting?

This usually means the FileVault encryption process has not started yet on the Mac. Confirm that the FileVault profile is assigned to the device’s policy and that the designated Secure Token user has logged out and back in to complete deferred enablement. 

What does “Deferred enablement appears to be active for ‘user’” mean?

This message indicates that FileVault is waiting for the specified user to complete the log out and log in process before encryption begins. That user must sign out of macOS and sign back in when prompted so FileVault can be enabled for their account and the disk can start encrypting. 

Can I configure FileVault without escrowing the Personal Recovery Key?

Yes, you can enable FileVault without escrowing PRKs, but this increases the risk of permanent data loss if both the password and local recovery key are lost. Escrowing PRKs to Addigy is strongly recommended so you can recover encrypted devices while still maintaining strong security controls. 

How do I monitor FileVault status across my fleet?

  • GoLive > Security > FileVault Encryption.
  • Review FileVault-related Device Facts such as FileVault Enabled & FileVault Key Escrowed from GoLive or the Devices page.

You can use Addigy’s reporting and GoLive views to see which devices are encrypted, pending encryption, or have failed to encrypt. This helps you verify compliance and quickly remediate devices that have not yet completed FileVault enablement. 

How do I escrow Recovery Keys for devices that already have FileVault enabled?

Please see FAQ: Escrowing a FileVault Recovery Key Not Currently in Addigy and Reissue FileVault Recovery Keys with Escrow Buddy for more information. 

Related Articles

Was this article helpful?
5 out of 13 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team