Disk Encryption Payload

Payload that configures FileVault disk encryption on Macs. Can enforce encryption, configure recovery key escrow to MDM, and prevent user disablement.

What to Know

Full-disk encryption is essential for protecting organizational data on lost or stolen devices. The Disk Encryption payload ensures that all data on a Mac is encrypted at rest, making it unreadable without proper authentication. Escrowing recovery keys to MDM prevents data loss scenarios where users forget passwords while maintaining IT’s ability to recover encrypted data when needed. Without enforced encryption, devices containing sensitive information create significant data breach risks and compliance violations.

FileVault encryption is required by many security frameworks and compliance standards including HIPAA, PCI-DSS, and SOC 2. Organizations that fail to encrypt devices risk severe regulatory penalties and reputational damage in the event of device theft or loss.

Common Scenarios

Enterprise IT: Enforcing FileVault on all corporate MacBooks to protect customer data, intellectual property, and confidential communications. IT teams escrow recovery keys to ensure data recovery when employees leave or forget credentials.

MSP: Implementing encryption policies across client fleets to meet industry-specific compliance requirements. MSPs use escrowed keys to assist clients with password recovery without requiring full device wipes, reducing downtime and data loss incidents.

Education: Encrypting faculty and administrative devices that store student records, financial data, and personnel information. Education institutions balance encryption enforcement with recovery key management to prevent data loss during staff transitions.

In Addigy

Addigy’s FileVault configuration options allow admins to enforce encryption, escrow recovery keys to Addigy’s secure vault, and generate compliance reports showing encryption status across the fleet. When FileVault is enabled through Addigy, recovery keys are automatically encrypted and stored, accessible only to authorized admins through the device details page.

Addigy provides detailed logging of FileVault enablement status, including failures and user deferrals. Admins can see which devices are encrypted, pending encryption, or failed to encrypt, enabling proactive remediation of compliance gaps.