The payload for configuring FileVault recovery key escrow.
- macOS 10.13+
The string that's included in help text if the user appears to have forgotten the password. Site admins can use this key to look up the escrowed key for the particular computer.
This key replaces the
Record key used in the previous escrow mechanism. If the key is missing, the device serial number is used instead.
Cert Payload UUID
The UUID of a payload within the same profile that contains the certificate that will be used to encrypt the recovery key. The referenced payload must be of type
The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault.
com as the payload type.
FileVault Full Disk Encryption (FDE) recovery keys are, by default, sent to Apple if the user requests them. Only one payload of this type is allowed per system.
If FileVault is enabled after this payload is installed on the system, the FileVault PRK is encrypted with the specified certificate, wrapped with a CMS envelope and stored at
/var/db/File. The encrypted data is made available to the MDM server as part of the
Alternatively, if a site uses its own administration software, it can extract the PRK from the foregoing location at any time. Because the PRK is encrypted using the certificate provided in the profile, only the author of the profile can extract the data.
Note these cautions:
The payload must exist in a system-scoped profile.
Installing more than one payload of this type per computer results in an error.
The previous payload (
com) is no longer supported. It can still be installed but it's ignored, so servers can send out the same profile to old and new clients.
.apple .security .FDERecovery Redirect
If only an old-style redirection payload is installed at the time FileVault is turned on through the Security Preferences pane, an error is displayed and FileVault isn't enabled.
No warning or error is provided if FileVault is already enabled and an old-style payload is installed. In this case, it's assumed that the recovery key has already been escrowed with the server.
Although the previous FDE Recovery payload is no longer supported in macOS 10.13 and later, it's still supported in macOS 10.9 through 10.12. Designate that payload by specifying
com as the payload type.
Allow Manual Install
Requires User Approved MDM
Allowed in User Enrollment
Allow Multiple Payloads