Deploying FileVault with a Configuration Profile

This article will discuss deploying FileVault 2 via a Configuration Profile to managed Macs with Jamf Pro using either an Individual Recovery Key, an Institutional Recovery Key, or both together.

Creating an Institutional Recovery Key

Skip this section if you do not plan to deploy an Institutional Recovery Key.

Jamf has excellent documentation on how the Institutional Recovery Key is created. In order to wind up with a key we can upload to Jamf Pro, use the directions in the section titled “Creating and Exporting an Institutional Recovery Key without the Private Key” to wind up with a .cer file.

Creating the Configuration Profile

Begin by creating a new Configuration Profile, name it whatever you’d like, and we can leave this as a Computer-Level profile.

If Using an Institutional Recovery Key:

  1. Configure the Certificates payload
  2. Name this certificate “Institutional Recovery Key” or something else that makes sense
  3. Change “Select Certificate Option” to Upload
  4. Choose the .cer file created in the previous section
  5. The Certificates payload should now look like the screenshot to the right
  6. Save the entire Configuration Profile before moving on – Edit it again to proceed

Configuring FileVault Settings

The FileVault settings are inside of the Security & Privacy payload. With this payload, however, comes General (including Gatekeeper), Firewall, and Privacy. Make sure there’s not already an existing Security & Privacy payload scoped to the same machines that is managing those settings as we don’t want duplicate payloads.

  1. Check the box to “Require FileVault 2”
    • If using an Institutional Recovery Key, check the box to “Use institutional recovery key
      • Change the “Certificate” dropdown menu to reflect the Certificate Name we configured previously
    • If using an Individual Recovery Key, check the box to “Create individual recovery key
  2. Optionally check the box to “Require user to unlock FileVault 2 after hibernation

Enabling Escrow of the Personal Recovery Key

If this Profile will be used to encrypt machines running macOS 10.13 or later, and we want to store the Individual Recovery Key (referred to in this setting as a “Personal Recovery Key”) in Jamf Pro, then we need to check the box to “Enable Escrow Personal Recovery Key

  1. The Escrow Location Description message must be configured, and it can be as simple as something like “Your Recovery Key Will be Sent to IT for Safe-Keeping.”
  2. “Record Number” Message is optional, but something like “Please Give IT This Number” would make sense here.
  3. Leave Personal Recovery Key Encryption Method as “Automatically encrypt and decrypt recovery key

The FileVault tab should now look like this if we’re deploying both an Institutional and Individual Recovery Key:


Redirecting Individual Recovery Keys to macOS 10.12 and Earlier

The setting to Enable Escrow Personal Recovery Key is only applicable for macOS 10.13 and later. In order to redirect the Individual Recovery Key to Jamf Pro for macOS 10.12 or earlier, we need to use a completely separate payload. It is absolutely acceptable to put both payloads in the same profile – the operating system will just ignore the profile that it doesn’t need.

  1. Configure the FileVault Recovery Key Redirection payload
  2. Change the Recovery Key Redirection dropdown to “Automatically redirect recovery keys to the Jamf Pro server

A Final Note on the Certificates Payload

Depending on which settings we enabled for escrowing or redirecting the Individual Recovery Key, we may see additional entries in the Certificates payload. This is normal, and required.

  • If we enabled escrow in the Security & Privacy payload, there should be a certificate titled “JSS FileVault Recovery Key Escrow Certificate.”
  • If we enabled redirection with the FileVault Recovery Key Redirection payload, there should be a certificate titled “JSS FileVault Recovery Key Redirection Certificate

That’s it! We’re ready to scope the Configuration Profile out to our managed Macs and kick off the encryption process! Once the Individual Recovery Key is sent back to Jamf Pro (if configured) we can see it in an individual Computer Inventory Record under the Management tab, and then under the FileVault 2subheading.