Understand Supported FileVault Recovery and User Scenarios

To decrypt a FileVault encrypted device, either enter a password for a FileVault encrypted user or, if all passwords have been forgotten, a recovery method can be used to access macOS Recovery Mode. 

Available recovery methods for FileVault include:

• AppleID
• Personal Recovery Keys
• Institutional Recovery Keys

A device can also be encrypted with a combination of these recovery methods. When the JumpCloud FileVault policy is applied, a Personal Recovery Key is escrowed to the JumpCloud console and can be used to decrypt the disk if passwords are lost or forgotten. AppleID and Institutional Recovery Keys can be used as FileVault recovery methods, but you must boot to recovery to use those methods.

If a Personal Recovery Key is set as the only FileVault recovery method, that key can be used to decrypt the disk at the FileVault decryption screen. Should a user forget their password, a prompt will appear after three failed attempts, if the personal recovery key for that system is entered, the system will boot to the login screen. 

If an AppleID or Institutional Recovery Key is set as a FileVault recovery method, the system will require booting into macOS Recovery Mode to make use of those recovery methods. The AppleID specifically requires an internet connection in recovery to login to a user's AppleID account. 

There are several scenarios where it would be inadvisable to use AppleID or Institutional Recovery Keys as FileVault Recovery Methods.

Inadvisable FileVault Recovery Methods / JumpCloud User Scenarios

Apple ID Recovery with a Single User

FileVault Recovery Method: AppleID

System Configuration: One JumpCloud User Bound to system

If a single JumpCloud user is bound to a FileVault encrypted system with an AppleID recovery method, that user could get locked out of their system indefinitely if they were to forget their password. At this time, JumpCloud accounts can not have their passwords reset in recovery mode to prevent unauthorized access. 

Institutional Recovery Key + Personal Recovery Key with a Single User

FileVault Recovery Method: Institutional Recovery Key + Personal Recovery Key

System Configuration: One JumpCloud User Bound to system

If the Institutional Recovery Key + Personal Recovery Key combination is used when encrypting a Mac system with a T2 chip, and if the password for the single user is forgotten, the system must boot to recovery to make use of the Institutional Recovery Method. 

If a single JumpCloud user is bound to a FileVault encrypted system with the Institutional Recovery Key + Personal Recovery Key recovery method, that user could get locked out of their system indefinitely if they were to forget their password. At this time, JumpCloud accounts can not have their passwords reset in Recovery Mode to prevent unauthorized access.

Supported FileVault Recovery Method / Single JumpCloud User Scenarios

Personal Recovery Key with Single User

FileVault Recovery Method: Personal Recovery Key

System Configuration: One JumpCloud User Bound to system

A single JumpCloud user is bound to a FileVault encrypted system with a Personal Recovery Key recovery method. If that user is locked out of their system by forgetting their password, they could bypass the FileVault screen with the Personal Recovery Key. Once at the login screen and when connected to a network (either a known wifi network or with an ethernet connection) the JumpCloud agent can change the user’s password.

Supported FileVault Recovery Methods / Multiple User Scenarios 

Institutional Recovery Key + Personal Recovery Key with Multiple User

FileVault Recovery Method: Institutional Recovery Key + Personal Recovery Key

System Configuration: One JumpCloud user, one local administrator.

A system is FileFault encrypted with an Institutional and Personal Recovery Key. If that user is locked out of their system by forgetting their password, they could either be provided the local administrator account password to bypass FileVault or enter Recovery Mode using the Personal Recovery Key. In Recovery Mode, the FileVault enabled local administrator account’s password can be reset to enter the login screen. Once at the login screen and when connected to a network (either a known wifi network or with an ethernet connection) the JumpCloud Agent can change the JumpCloud user’s password.

AppleID + Personal Recovery Key with Multiple User

FileVault Recovery Method: Institutional Recovery Key + Personal Recovery Key

System Configuration: One JumpCloud user, one local administrator.

A system is FileFault encrypted with an AppleID and Personal Recovery Key recovery method. If that user is locked out of their system by forgetting their password, they could either be provided the local administrator account’s password to bypass FileVault or enter Recovery Mode with the AppleID credentials and then reset the password of the local administrator account to get to the login screen. Once at the login screen and when connected to a network (either a known wifi network or with an ethernet connection) the JumpCloud Agent can change the JumpCloud user’s password.

Personal Recovery Key with Multiple Users

FileVault Recovery Method: Personal Recovery Key

System Configuration: One JumpCloud User bound to system

A set of JumpCloud users are bound to a FileVault encrypted system with a Personal Recovery Key. If any user is locked out of their system by forgetting their password, they can bypass the FileVault screen using the Personal Recovery Key. Alternatively, a different user’s password can be used to bypass the FileVault screen. Once at the login screen and when connected to a network (either a known wifi network or with an ethernet connection) the JumpCloud agent can change a user’s password.

If a non-JumpCloud user account was provisioned on this system, that account’s password could be reset in Recovery Mode. That user’s password could be used to bypass FileVault and gain access to the login screen. Once at the login screen and when connected to a network (either a known wifi network or with an ethernet connection) the JumpCloud Agent can change the user’s password. Alternatively, if no known network is available at the login screen, that newly reset user account can be used to access the OS and connect to a network.