Administering FileVault on Computers

You can activate FileVault disk encryption using a profile.

Administering FileVault on computers involves the following steps:

  1. Creating a recovery key.

  2. (Optional) Export an institutional recovery key.

  3. Create and deploy a profile with the recovery key certificate and FileVault settings.

Creating a Recovery Key

You can create a personal or institutional recovery key to unlock encrypted volumes on computers. For more information about how to create recovery keys, see the Set a FileVault recovery key for computers in your institution article from Apple's support website.

Note: After you create an institutional recovery key, download the recovery key certificate file (.cer) to upload to Jamf School.

Administering FileVault on Computers


To administer FileVault on computers, you need:

  • Computers with macOS 10.7 or later

  • A device group of computers you want to administer FileVault on (For more information, see Device Groups.)


  1. In Jamf School, navigate to Profiles in the sidebar.

  2. Click +Create Profile.

  3. Select macOS for the Platform.

  4. Select the type of enrollment you want to make the profile for.

  5. Enter a name in the Profile name field and configure the additional settings as needed, including the removal policy and time filter.

  6. Click Finish.

  7. Use the Scope payload to configure the scope of the profile by clicking the + icon and adding the computer device group to the profile scope.

  8. (Institutional recovery key only) Using the Certificates payload, click Choose file and upload the institutional recovery key certificate file (.cer).

  9. Use the FileVault payload to configure the settings, including the following:

    1. Ensure the Enable FileVault checkbox is selected.

    2. Choose the recovery key type.

    3. (Institutional recovery key only) Choose the certificate to use from the Certificate pop-up menu.

    4. (Personal recovery key only) To ensure the personal recovery key is stored in Jamf School, select the Enable Personal Recovery Key Escrow checkbox. This allows you to view the personal recovery key in the device details.

      Important: Personal recovery key escrow should be used as a last resort. It is recommended that you always set an institutional recovery key along with enabling the personal recovery key to reduce the risk of losing all recovery keys.

  10. Configure the other payloads as needed.

  11. Click Save.

The new profile appears in the Profiles overview.

Unlocking a FileVault-Encrypted Volume

If you want to unlock the user's encrypted startup disk, you can use the recovery key. For more information, see the Set a FileVault recovery key for computers in your institution article from Apple's support website.

Related Information

For related information about FileVault, see the Use FileVault to encrypt the startup disk on your Mac article from Apple's support website.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.