Device Management Profile

FDERecoveryKeyEscrow

The payload for configuring FileVault recovery key escrow.

Properties

DeviceKey
string

The string that's included in help text if the user appears to have forgotten the password. Site admins can use this key to look up the escrowed key for the particular computer.

This key replaces the RecordNumber key used in the previous escrow mechanism. If the key is missing, the device serial number is used instead.

EncryptCertPayloadUUID
string
(Required)

The UUID of a payload within the same profile that contains the certificate that will be used to encrypt the recovery key. The referenced payload must be of type com.apple.security.pkcs1.

Location
string
(Required)

The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault.

Discussion

Specify com.apple.security.FDERecoveryKeyEscrow as the payload type.

FileVault Full Disk Encryption (FDE) recovery keys are, by default, sent to Apple if the user requests them. Only one payload of this type is allowed per system.

If FileVault is enabled after this payload is installed on the system, the FileVault PRK is encrypted with the specified certificate, wrapped with a CMS envelope and stored at /var/db/FileVaultPRK.dat. The encrypted data is made available to the MDM server as part of the SecurityInfo command.

Alternatively, if a site uses its own administration software, it can extract the PRK from the foregoing location at any time. Because the PRK is encrypted using the certificate provided in the profile, only the author of the profile can extract the data.

Note these cautions:

  • The payload must exist in a system-scoped profile.

  • Installing more than one payload of this type per computer results in an error.

  • The previous payload (com.apple.security.FDERecoveryRedirect) is no longer supported. It can still be installed but it's ignored, so servers can send out the same profile to old and new clients.

  • If only an old-style redirection payload is installed at the time FileVault is turned on through the Security Preferences pane, an error is displayed and FileVault isn't enabled.

  • No warning or error is provided if FileVault is already enabled and an old-style payload is installed. In this case, it's assumed that the recovery key has already been escrowed with the server.

Although the previous FDE Recovery payload is no longer supported in macOS 10.13 and later, it's still supported in macOS 10.9 through 10.12. Designate that payload by specifying com.apple.security.FDERecoveryRedirect as the payload type.

Profile Availability

Device Channel

macOS

User Channel

-

Allow Manual Install

macOS

Requires Supervision

-

Requires User Approved MDM

-

Allowed in User Enrollment

-

Allow Multiple Payloads

-

See Also

Full Disk Encryption

object FDEFileVault

The payload for configuring FileVault.