Device Management Profile

FDEFileVault

The payload for configuring FileVault. 

Properties

Certificate
data

The DER-encoded certificate data if UseRecoveryKey is enabled.

Defer
boolean

If true, defers enabling FileVault until the designated user logs out. For details, see fdesetup(8). The person enabling FileVault must be either a local user or a mobile account user.

DeferDontAskAtUserLogout
boolean

If true, prevents requests for enabling FileVault at user logout time. 

DeferForceAtUserLoginMaxBypassAttempts
integer

The maximum number of times users can bypass enabling FileVault before being required to enable it to log in. If the value is 0, users are always prompted to enable FileVault, although they're not required to do so. Setting this key to –1 disables the feature. 

Enable
string
(Required)

If true, enables FileVault.

OutputPath
string

The path to the location where the recovery key and computer information property list are stored.

Password
string

The password of the Open Directory user to be added to FileVault. Use the UserEntersMissingInfo key if you want to prompt for this information.

PayloadCertificateUUID
string

The UUID of the payload within the same profile containing the asymmetric recovery key certificate payload.

ShowRecoveryKey
boolean

If false, prevents display of the personal recovery key to the user after FileVault is enabled.

UseKeychain
boolean

If true and no certificate information is provided in this payload, the keychain created at /Library/Keychains/FileVaultMaster.keychain is used when the institutional recovery key is added.

UseRecoveryKey
boolean

If true, creates a personal recovery key and displays it to the user.

UserEntersMissingInfo
boolean

If true, enables a prompt for missing user name or password fields.

Username
string

The user name of the Open Directory user to be added to FileVault.

Discussion

Specify com.apple.MCX.FileVault2 as the payload type.

FileVault 2 performs full XTS-AES 128 encryption on the contents of a volume. Removing the FileVault payload does not disable FileVault.

As of macOS 10.15 this payload requires User Approved MDM.

Profile Availability

Device Channel

macOS

User Channel

-

Allow Manual Install

macOS

Requires Supervision

-

Requires User Approved MDM

macOS

Allowed in User Enrollment

-

Allow Multiple Payloads

-

See Also

Full Disk Encryption

object FDERecoveryKeyEscrow

The payload for configuring FileVault recovery key escrow.