FileVault

Full-disk encryption for macOS. MDM can enforce FileVault, escrow recovery keys, and require encryption before allowing access to the device.

What to Know

FileVault is the primary defense against data breaches caused by lost, stolen, or improperly decommissioned Macs. Without full-disk encryption, anyone with physical access to a Mac can boot from external media and access all files, bypassing user passwords entirely. FileVault encrypts the entire startup disk using XTS-AES-128 encryption, ensuring that data remains unreadable without the correct credentials, even if the drive is removed and connected to another system.

MDM’s ability to enforce FileVault and escrow recovery keys is critical for enterprise security and compliance (HIPAA, SOC 2, GDPR). Without key escrow, a forgotten password results in permanent data loss. With proper MDM enforcement, IT can recover encrypted drives while maintaining the security benefits of encryption, balancing user convenience with organizational data protection requirements.

Common Scenarios

Enterprise IT: Corporate security policies typically mandate FileVault on all company-owned Macs. IT deploys FileVault profiles via MDM, automatically enabling encryption and escrowing recovery keys. If an employee forgets their password or leaves the company without sharing credentials, IT can use the escrowed key to unlock the drive and recover data.

MSP: MSPs enable FileVault as a baseline security control for all managed clients, particularly those in regulated industries. They use MDM to enforce encryption and centrally store recovery keys, allowing rapid response to lost device incidents without client involvement. This also simplifies decommissioning workflows, as encrypted drives can be securely wiped without multi-pass overwriting.

Education: Schools enable FileVault on staff devices that access student data or administrative systems. While student-facing devices may skip encryption to simplify device rotation and imaging, any Mac handling sensitive data (grades, attendance, IEPs) should be encrypted with MDM-escrowed recovery keys.

In Addigy

Addigy can enforce FileVault through configuration profiles, automatically enabling encryption on Macs and escrowing recovery keys to the Addigy console. Admins can view FileVault status for all devices, retrieve recovery keys for locked Macs, and set policies to defer enablement until convenient for users. Addigy also supports institutional recovery keys for organizations that prefer centralized key management over per-device escrow.