FileVault Enablement with Jamf Connect

You can use Jamf Connect to enable FileVault on computers for administrator and standard local accounts. You can also store the user's personal recovery key at a specified file path.

Keep the following security and user experience considerations in mind when choosing to use Jamf Connect and FileVault on computers:

  • User Data Protections on macOS 10.15 or later—To ensure FileVault is enabled and users are not locked out of computers with Jamf Connect, a Privacy Preferences Policy Control (PPPC) configuration profile must be installed on computers with macOS 10.15 or later. You can download this configuration from Jamf's GitHub repository or configure and deploy it with Jamf Pro.

  • Unintentionally bypassing Jamf Connect—If Jamf Connect is installed on computers, the default macOS default automatic login behavior with FileVault may prevent the Jamf Connect login window from loading.

  • Additional login prompts for users—When FileVault is enabled on a computer, a login screen is displayed before macOS launches via an extensible firmware interface (EFI). This login screen is built-in at the EFI level or a special boot loader in computers with the T2 chip. The user must enter their FileVault password to unlock the boot drive and launch macOS. Once unlocked, FileVault passes the user's password to the macOS loginwindow application and automatically logs in the user and loads the Finder.

Configuring a Privacy Preference Policy Control Payload on macOS 10.15 or Later

To enable FileVault settings on macOS 10.15 or later, you must install a configuration profile that configures the Privacy Preferences Policy Control (PPPC) payload on computers. You can upload the profile to an MDM solution manually or configure and deploy it in Jamf Pro:

Uploading Privacy Preference Policy Control Settings Manually

You can upload a .mobileconfig file directly to your MDM solution or install it locally.

To obtain this configuration profile for upload, see the following from Jamf's GitHub repository:

Configuring and Deploying Privacy Preference Policy Control Settings with Jamf Pro

To configure and deploy PPPC payload settings with Jamf Pro, complete the following steps:

  1. In Jamf Pro, click Settings in the top-right corner.

  2. In the Computer Management section, click Security.

  3. Click Edit.

  4. Select the Jamf Connect checkbox from the Automatically install Privacy Preferences Policy Control profile settings section.

  5. Click Save.

Disabling Automatic FileVault Login

To prevent the macOS login process from skipping Jamf Connect Login when FileVault is enabled, you can disable automatic login on computers.

The following diagram shows how this setting ensures Jamf Connect is not bypassed during login:


To disable automatic login on computers, you can upload the following PLIST file using the Custom Settings payload in your MDM solution. Make sure you specify the following preference domain:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

User Experience and Security

Although security measures, such as FileVault and multi-factor authentication (MFA), significantly improve the security of a Mac, administrators should only implement necessary security features in their environment to ensure a positive end user experience. Excessive security combined with Jamf Connect may result in multiple computer login prompts for users to access a Mac and continuous authentication with Jamf Connect Sync or Verify.

The following diagram is an example shows how too many security measures at the login window can create a negative user experience.


Enabling FileVault Standard Local Accounts

If you want to use Jamf Connect to create a standard local account that is FileVault enabled, you must use the Local Administrator Password Solution (LAPSUser) setting. This setting randomizes an already existing local administrator account password, uses the password to enable FileVault and create a personal recovery key, and then cycles the personal recovery key to become the local administrator password. This results in the configured LAPS user account and standard user account being FileVault enabled.


  • The first FileVault enabled user account on a computer cannot be a standard user account. An existing local administrator must be on the computer to use this method.

  • Only the first created standard account will receive a SecureToken.

FileVault Settings

Domain: com.jamf.connect.login

Description: Used to configure how FileVault is enabled with Jamf Connect.





Enable FileVault

If set to true, FileVault will be enabled for the first user that logs in to a computer.




Save FileVault Recovery Key

If set to true, Jamf Connect will store the personal recovery key (PRK) in /var/db/NoMADFDE unless otherwise specified.




Set Recovery Key Filepath

Specifies a custom file path for the PRK rather than using /var/db/NoMADFDE by default.





An existing local administrator account that Jamf Connect can change the password to the personal recovery key. This setting is only used by Jamf Connect to help enable FileVault on standard accounts on macOS 10.15 or later.



Related Information

For related information about macOS Security, see the following documentation from Apple:

For related information about User Data Protections and FileVault, see the following Knowledge Base articles:

For related information about administering FileVault with Jamf Pro, see the Administering FileVault on macOS 10.14 or Later with Jamf Pro technical paper.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.