{"id":75263,"date":"2023-05-17T11:46:27","date_gmt":"2023-05-17T15:46:27","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&#038;p=75263"},"modified":"2023-06-05T13:11:04","modified_gmt":"2023-06-05T17:11:04","slug":"create-a-mac-filevault-2-policy","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy","title":{"rendered":"Create a Mac FileVault 2 Policy"},"content":{"rendered":"\n<p>You can use this policy to remotely enforce FileVault on macOS devices and easily view Recovery Keys. FileVault full-disk encryption (FileVault 2)&nbsp;helps prevent unauthorized access to the information on your user&#8217;s startup disks. FileVault 2 uses XTS-AES-128 encryption with a 256-bit key.<\/p>\n\n\n\n<p>After you enforce a FileVault policy, your users need a secure token to enable it. The advent of Apple File Systems (APFS) in macOS 10.13 changed the way Apple manages FileVault encryption keys. To secure and provide access to encryption keys required for FileVault decryption, Apple introduced Secure Tokens. Ensure your users have Secure Tokens by following the instructions in&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/install-and-use-the-service-account-for-macos\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Use the Service Account for macOS<\/a>. You can also watch a video tutorial on&nbsp;<a href=\"https:\/\/youtu.be\/mzI32qs3snk\" target=\"_blank\" rel=\"noreferrer noopener\">FileVault Management<\/a>.<\/p>\n\n\n\n<p><strong>Prerequisites<\/strong><\/p>\n\n\n\n<ul>\n<li>This policy is supported on macOS 10.13 and later.<\/li>\n\n\n\n<li>Users need a valid Secure Token.<\/li>\n\n\n\n<li>Mobile Device Management (MDM) is configured for your organization and devices are enrolled in JumpCloud\u2019s MDM. See&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/set-up-apple-mdm\" target=\"_blank\" rel=\"noreferrer noopener\">Set up Apple MDM<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Considerations<\/strong><br>After an administrator creates and saves this policy, users must enable the use of FileVault on their macOS devices. Any user on a device with a valid Secure Token is added to FileVault.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Create a Mac FileVault 2 Policy&nbsp;<\/h2>\n\n\n\n<p>When you create a FileVault policy, you can enable and configure the following settings:<\/p>\n\n\n\n<ul>\n<li><strong>Show the FileVault Recovery Key to the user when enabled&nbsp;&#8211;&nbsp;<\/strong>When this option is selected, the user sees the Recovery Key and can store it in a safe&nbsp;place.<\/li>\n\n\n\n<li><strong>Do not prompt the user to enable FileVault at logout<\/strong>&nbsp;-There are two possible prompt locations for the user to enable FileVault, at login and at logout. With this option selected, the user is only prompted to enable FileVault&nbsp;when they log in.<\/li>\n\n\n\n<li><strong>Number of times the user can bypass enabling FileVault&nbsp;&#8211;&nbsp;<\/strong>You can let the user postpone enabling FileVault for the number of times you enter in this field. When the value you enter has been exceeded they are forced to enable FileVault before they can login to their device.\u200b\u200b<\/li>\n<\/ul>\n\n\n\n<p><strong>To create a FileVault 2 policy:<\/strong><\/p>\n\n\n\n<ol>\n<li>Log in to the JumpCloud AdminPortal:&nbsp;<a target=\"_blank\" href=\"https:\/\/console.jumpcloud.com\/login\" rel=\"noreferrer noopener\">https:\/\/console.jumpcloud.com\/login<\/a>.<\/li>\n\n\n\n<li>Go to&nbsp;<strong>DEVICE MANAGEMENT&nbsp;<\/strong>&gt;<strong>Policies<\/strong>.<\/li>\n\n\n\n<li>In the&nbsp;<strong>All<\/strong>&nbsp;tab, click (<strong>+<\/strong>).<\/li>\n\n\n\n<li>On the New Policy panel, select the&nbsp;<strong>Mac<\/strong>&nbsp;tab.<\/li>\n\n\n\n<li>Select the FileVault 2 policy from the list, then click&nbsp;<strong>configure<\/strong>.<\/li>\n\n\n\n<li>On the New Policy panel, optionally enter a new name for the policy, or keep the default.&nbsp;Policy names must be unique.<\/li>\n\n\n\n<li>Under&nbsp;<strong>Settings<\/strong>, select&nbsp;<strong>Show the FileVault Recovery Key to the user when enabled<\/strong>&nbsp;to display the Apple generated Personal Recovery Key (PRK) to the user. The PRK will also be escrowed by JumpCloud.<\/li>\n\n\n\n<li>Select&nbsp;<strong>Do not prompt the user to enable FileVault at logout<\/strong>&nbsp;to&nbsp;not&nbsp;prompt&nbsp;to enable FileVault at the next logout. Instead, users will be prompted at their next login.<\/li>\n\n\n\n<li>If you selected&nbsp;<strong>Do not prompt the user to enable FileVault at logout<\/strong>, enter a number greater than zero in&nbsp;<strong>Number Of Times The User Can Bypass Enabling FileVault<\/strong>.<br><img decoding=\"async\" width=\"2748\" height=\"1592\" class=\"wp-image-83384\" style=\"width: 1200px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png\" alt=\"\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png 2748w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2-300x174.png 300w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2-1024x593.png 1024w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2-768x445.png 768w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2-1536x890.png 1536w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2-2048x1186.png 2048w\" sizes=\"(max-width: 2748px) 100vw, 2748px\" \/><\/li>\n\n\n\n<li>(Optional) Select the&nbsp;<strong>Device Groups<\/strong>&nbsp;tab. Select one or more device groups where you&#8217;ll apply this policy.&nbsp;<\/li>\n\n\n\n<li>(Optional) Select the&nbsp;<strong>Devices<\/strong>&nbsp;tab. Select one or more devices where you&#8217;ll apply this policy.<\/li>\n\n\n\n<li>Log out and log back in for this policy to take effect.<\/li>\n\n\n\n<li>Click&nbsp;<strong>save policy<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p>After you save the policy and the user logs out and back in, the policy takes effect on active devices in near real-time, but could take up to a few minutes. The policy is enforced on any inactive devices the next time they become active.<\/p>\n\n\n\n<p>In the Admin Portal, you can check the policy to see if it&#8217;s successfully applied.&nbsp;If FileVault is already enabled on the device when the policy is applied, the following behavior occurs:<\/p>\n\n\n\n<ul>\n<li>JumpCloud rotates the Recovery Key on the device.\u200b\u200b<\/li>\n\n\n\n<li>Key rotation may be immediate, but may also take up to one hour.<\/li>\n\n\n\n<li>\u200b\u200bIn order for JumpCloud to rotate the Recovery Key, the&nbsp;JumpCloud Service Account&nbsp;must be present on the device.&nbsp;<\/li>\n\n\n\n<li>Once the Recovery Key is successfully rotated, JumpCloud records the new Recovery Key in the Administrator Portal on the device&#8217;s details.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>At this point, FileVault is now completely enabled on the devices where you applied this policy. You can view the Recovery Key for the device, and users can&#8217;t disable FileVault.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understand User Experience<\/h2>\n\n\n\n<p>After the policy is applied to the device, the user sees the following prompts when they log in or log out of their device:<\/p>\n\n\n\n<ul>\n<li><strong>Enable FileVault<\/strong>&nbsp;-If the administrator lets the user postpone enabling FileVault, they can click the&nbsp;<strong>Cancel<\/strong>&nbsp;button on this&nbsp;dialog and log in or log out of the device.&nbsp;When the user bypasses enabling FileVault more times than the administrator allows, the user is&nbsp;forced to enable FileVault before they can login to their device.\u200b\u200b<\/li>\n\n\n\n<li><strong>Confirmation of encryption<\/strong><\/li>\n\n\n\n<li><strong>Displays&nbsp;the Recovery Key&nbsp;<\/strong>&#8211; If the administrator enables this&nbsp;option.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">View Expected Behavior<\/h2>\n\n\n\n<ul>\n<li>The Recovery Key field doesn&#8217;t appear on a device&nbsp;until JumpCloud has&nbsp;a Recovery Key.<\/li>\n\n\n\n<li>JumpCloud displays&nbsp;the device&#8217;s status as&nbsp;<strong>Unencrypted<\/strong>&nbsp;until the FileVault encryption process is complete. After the process is complete, then within the next two hours, JumpCloud displays&nbsp;the device&#8217;s status as&nbsp;<strong>Encrypted<\/strong>.<\/li>\n\n\n\n<li>If the Admin lets the user postpone enabling FileVault, the number of times it is allowed depends on the value set by the administrator and the following conditions:\n<ul>\n<li>Logging in and out of a device&nbsp;doesn&#8217;t&nbsp;count against users that you add&nbsp;after the policy has been applied.&nbsp;<\/li>\n\n\n\n<li>Fast user switching doesn\u2019t count against the number of times allowed.<\/li>\n\n\n\n<li>Logging in and out of a device&nbsp;counts against any user that is logged in when you apply the policy.<\/li>\n\n\n\n<li>If all all users are logged in, then logging in and out of a device&nbsp;counts against all users.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If FileVault is already enabled on the device&nbsp;when the policy is applied, you see the following behavior:\n<ul>\n<li>The user can&#8217;t disable FileVault<\/li>\n\n\n\n<li>A new Recovery Key is generated<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If the user attempting to log in doesn&#8217;t have a Secure Token enabled, you see the following behavior:\n<ul>\n<li>The user can continue through the prompts and log in but&nbsp;FileVault won&#8217;t be&nbsp;enabled.<\/li>\n\n\n\n<li>The user sees the prompt and can click the&nbsp;<strong>Enable Now<\/strong>&nbsp;button.<\/li>\n\n\n\n<li>The user won&#8217;t&nbsp;see a Recovery Key and FileVault won&#8217;t be enabled.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>You can use this policy to remotely enforce FileVault on macOS devices and easily view Recovery Keys. FileVault full-disk encryption [&hellip;]<\/p>\n","protected":false},"author":202,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2925,2852,2862,3082],"support_tag":[],"coauthors":[2836,3011],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Create a Mac FileVault 2 Policy - JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn how to remotely enforce FileVault on macOS devices and easily view Recovery Keys.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Create a Mac FileVault 2 Policy\" \/>\n<meta property=\"og:description\" content=\"Learn how to remotely enforce FileVault on macOS devices and easily view Recovery Keys.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-05T17:11:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"denasteward, nickconrad\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy\",\"url\":\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy\",\"name\":\"Create a Mac FileVault 2 Policy - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png\",\"datePublished\":\"2023-05-17T15:46:27+00:00\",\"dateModified\":\"2023-06-05T17:11:04+00:00\",\"description\":\"Learn how to remotely enforce FileVault on macOS devices and easily view Recovery Keys.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png\",\"width\":2748,\"height\":1592,\"caption\":\"FileVault 2 Policy configuration settings within the JumpCloud Admin Console.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Create a Mac FileVault 2 Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Create a Mac FileVault 2 Policy - JumpCloud","description":"Learn how to remotely enforce FileVault on macOS devices and easily view Recovery Keys.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy","og_locale":"en_US","og_type":"article","og_title":"Create a Mac FileVault 2 Policy","og_description":"Learn how to remotely enforce FileVault on macOS devices and easily view Recovery Keys.","og_url":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy","og_site_name":"JumpCloud","article_modified_time":"2023-06-05T17:11:04+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes","Written by":"denasteward, nickconrad"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy","url":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy","name":"Create a Mac FileVault 2 Policy - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png","datePublished":"2023-05-17T15:46:27+00:00","dateModified":"2023-06-05T17:11:04+00:00","description":"Learn how to remotely enforce FileVault on macOS devices and easily view Recovery Keys.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/console_mac_filevault_2.png","width":2748,"height":1592,"caption":"FileVault 2 Policy configuration settings within the JumpCloud Admin Console."},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/create-a-mac-filevault-2-policy#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Create a Mac FileVault 2 Policy"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/75263"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/202"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/75263\/revisions"}],"predecessor-version":[{"id":88525,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/75263\/revisions\/88525"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=75263"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=75263"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=75263"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=75263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}