How to Manage FileVault Recovery Keys

Addigy | 08/18/2022

When managing the devices on your network, protecting organizational data is one of the most important steps to mitigate cyber risks. Fortunately, macOS devices have built-in features to make this process easier.

As admins, it’s important to know which security tools are available so you can manage devices more confidently. With FileVault, businesses that use Apple devices are highly equipped to protect sensitive corporate data.

In this post, we’ll provide general instructions on how to deploy and monitor FileVault, along with options for using FileVault recovery keys.

What is FileVault?

FileVault is a disk encryption feature that’s unique to Apple devices that run macOS. FileVault is built into the latest Mac operating systems and automatically encrypts the data on Mac startup disk drives. FileVault also ensures that only privileged users can access data with login credentials or a recovery key.

Apple’s FileVault 2 is the most recent version of the FileVault disk encryption feature, which has been in place since 2005. FileVault protects Mac machines from being compromised and prevents unauthorized users from copying data from those devices. 

How to Deploy & Monitor FileVault on All Apple Devices from Your MDM

By using mobile device management (MDM) through Addigy, IT administrators can quickly and seamlessly enforce FileVault disk encryption across all managed devices. Addigy’s comprehensive Help Center provides a visual walk-through of the steps required to deploy FileVault across all devices from your MDM.

For users familiar with an existing MDM configuration, the basic steps are as follows:

Creating the FileVault Management MDM Configuration

  1. On the Policies page, navigate to the Catalog at the top right of the page, and then from the MDM Configuration tab, click Add Configuration +.
  2. From here, select the Security and Privacy payload.
  3. From the Security and Privacy window, select Enable FileVault and make sure Escrow Personal Recovery Key is enabled, and select your preferred user deferral option. We usually recommend on log out to not disrupt the user. Finally, click Create Configuration.

After the MDM Configuration is Created, Add to the Policy 

Once the Configuration is on the device, it will be in a state of Deferred Enablement. This means that the logged in user when the payload was applied with Secure Token must log out, enter their credentials, and sign back in for the FileVault Encryption process to begin.

What is a FileVault Recovery Key?

FileVault recovery keys are required to restore data when a user forgets a password or no longer remembers their user credentials. An Apple recovery key is generally set up when the initial FileVault configuration is triggered. 

Within the Addigy platform for mobile device management (MDM), complete sets of recovery keys can be set up in escrow. Recovery keys that have been placed securely in escrow can be viewed in GoLive or downloaded for easier access. 

Steps for Managing FileVault Recovery Keys

Once you have enabled FileVault on your managed devices, you can then follow the steps to enable and manage corresponding recovery keys. With Addigy, you can do so using the Recovery Key steps below:

  • If Escrow Personal Recovery Key was selected, a Personal Recovery Key (PRK) will be generated and uploaded to your Addigy account.
  • You can then find your PRKs in the GoLive’s Security window for each device:
    • Viewing the Security tab within GoLive.
    • The key will be escrowed within 30 minutes to the Addigy platform

Should You Use a FileVault Recovery Key?

Even if you generally manage FileVault processes with your mobile device management platform, recovery keys aren’t a required step. Even for personal uses and Apple device management, users will never be forced into setting up a recovery key.

With that in mind, many users choose to do so for an extra layer of protection and convenience. In a device management context, recovery keys are useful in the following scenarios:

  • Individuals forget one or multiple aspects of their login credentials (username or password), and need to trigger the recovery process.
  • Users and admins want to ensure unauthorized users are unable to gain access to the device under any circumstances.
  • When you have a Recovery Key escrowed to Addigy, you can also remotely rotate the keys to ensure they are changed and rotated regularly.

Since FileVault is the source of data encryption for Apple devices and users, it’s important to be as proactive as possible in maximizing its features and taking advantage of every security benefit. 

Take Control of Your Apple Device Management

Automated monitoring is one way to ensure your data stays safe and secure around the clock. Addigy is committed to monitoring and rapid response, while leveraging the internal benefits of macOS, such as FileVault management

Take control of your Apple MDM processes with an easy-to-use, user-friendly solution that helps you operate with greater efficiency and security.

Sign Up For A Live Demo