This article has been updated for the Security & Privacy payload changes that came with Jamf Pro 10.30. If you are using an older version of Jamf Pro, download the PDF of the previous version of this workflow. Additionally, if you haven’t upgraded to 10.30, take a look at my Jamf Nation User Conference presentation from 2019 about how you can create a FileVault profile that only configures FileVault.

This article will discuss deploying FileVault 2 via a Configuration Profile to managed Macs with Jamf Pro using either a Personal Recovery Key, an Institutional Recovery Key, or both together.

Creating an Institutional Recovery Key

Skip this section if you do not plan to deploy an Institutional Recovery Key.

Jamf has excellent documentation on how the Institutional Recovery Key is created. In order to wind up with a key we can upload to Jamf Pro, use the directions in the section titled “Creating and Exporting an Institutional Recovery Key without the Private Key” to wind up with a .cer file.

Note: My opinion on Institutional Recovery Keys is that they are inherently insecure. Regarding pros and cons, a pro is that every single computer in your fleet can be unlocked with one master key. A con….is that every single computer in your fleet can be unlocked with one master key. If that master key is compromised, so is your fleet’s encryption. So if you do want to go down the Institutional Recovery Key route, make sure to keep that private key safe!

Creating the Configuration Profile

Begin by creating a new Configuration Profile, name it whatever you’d like, and we can leave this as a Computer-Level profile.

If Using an Institutional Recovery Key:

1. Configure the Certificates payload

2. Name this certificate “Institutional Recovery Key” or something else that makes sense

3. Change “Select Certificate Option” to Upload

4. Choose the .cer file created in the previous section

5. The Certificates payload should now look like the screenshot to the right

6. Save the entire Configuration Profile before moving on - Edit it again to proceed

Configuring FileVault Settings

The FileVault settings are inside of the Security & Privacy payload. As of Jamf Pro 10.30, this payload is now modular - meaning, you only need to deploy the settings you actually care about. No more configuring General, Firewall, and Privacy just to be able to deploy some FileVault settings! There are also some new options available within the FileVault settings.

Start by selecting Security & Privacy from the list of available payload options in a new Configuration Profile. After clicking on Security & Privacy, a list will appear directly beneath it. Choose FileVault from this list to begin configuring FileVault settings.

1. Include the setting to “Enable FileVault”

   • Keep the default setting of "At Login” for the “Event to prompt FileVault enablement”

     • If this is changed to “At Logout,” a user could endlessly click “Cancel” at logout with no consequences, and FileVault won’t ever get turned on. Only “At Login” cannot be cancelled by the user.

   • Optionally change the value for “Allow users to bypass FileVault prompts at login”

     • The default “Require on the next login” options means the next time the user logs into the computer, they must turn on FileVault in order to proceed. If they decline to do so, they’re returned to the login screen and the process will repeat until they turn FileVault on.

     • The options to “Require after 3 attempts” or “Custom” is the same concept as above, but the user will be able to proceed through the login process a number of times equal to the value set here.

       • So, “Require after 3 attempts” means a user can log in 3 times and decline FileVault each time, but the fourth time they log in, they must enable FileVault to proceed. “Custom” allows you to set this value to a number of your choosing, up to a maximum of 9,999

         • “Prompt always” is the same as setting the “Custom” value to 9,999

   • Choose your “Recovery keys” option

     • Choosing “Institutional Recovery Key” or “Personal and Institutional Recovery Key” requires the Certificates payload to be configured. See the previous section of this article, “If using an Institutional Recovery Key” for more information.

     • Choosing “Personal Recovery Key” or “Personal and Institutional Recovery Key” will reveal an additional option to “Display personal recovery key to user”

       • Leaving this as the default “Hide” option will not show the personal recovery key to the user during the encryption process. Choosing “Display” will show the user their recovery key.

2. Optionally include the setting to “Require user to unlock FileVault after hibernation”

Recovery Key Escrow & Redirection

If this Profile will be used to encrypt machines running macOS 10.13 or later, and we want to store the Personal Recovery Key in Jamf Pro, then we need to include the setting to “Escrow Personal Recovery Key”

1. Leave the “Encryption Method” set to “Automatically encrypt and decrypt recovery key”

2. The “Escrow Location Description” message must be configured, and it can be as simple as something like “Your Recovery Key will be sent to IT for safe-keeping.” This will be displayed to the user, so make sure it is written accordingly.

3. “Record Number” Message is optional and only appears in Jamf Pro. The payload variable of “$SERIALNUMBER” is frequently used here.

   • When using payload variables, it is essential that they are spelled and capitalized precisely.

     • $SERIALNUMBER is valid, and will correspond to the computer’s serial number

     • $serialnumber is invalid, and will literally say “$serialnumber” in Jamf Pro

     • $SerialNumber, $SERIAL, and any other combinations are also invalid.

The FileVault settings should now look something like this if we are utilizing only a Personal Recovery Key:

Redirecting Personal Recovery Keys to macOS 10.12 and Earlier

The setting to Enable Escrow Personal Recovery Key is only applicable for macOS 10.13 and later. In order to redirect the Personal Recovery Key to Jamf Pro for macOS 10.12 or earlier, we need to the deprecated “Recovery Key Redirection” setting at the bottom of the FileVault settings list. It is NOT possible to deploy BOTH redirection & escrow options to the same computer. This used to be acceptable, but no longer. Now if we were to deploy both redirection payloads to the same machine, FileVault will not enable, or the profile will fail to deploy altogether. Therefore, if we need to deploy FileVault to 10.12 and earlier computers, as well as 10.13 and later computers, we should create two separate profiles and utilize Smart Groups to properly scope our profiles.

To configure the “Recovery Key Redirection” settings:

1. Include the "Recovery Key Redirection” setting

2. Leave the “Redirection Method” dropdown set to “Automatically redirect recovery keys to the Jamf Pro server”

A Final Note on the Certificates Payload

Depending on which settings we enabled for escrowing or redirecting the Individual Recovery Key, we may see additional entries in the Certificates payload. This is normal, and required.  Do not attempt to remove them.

• If we enabled escrow in the Security & Privacy payload, there should be a certificate titled “JSS FileVault Recovery Key Escrow Certificate.”

• If we enabled redirection with the FileVault Recovery Key Redirection payload, there should be a certificate titled “JSS FileVault Recovery Key Redirection Certificate”

That’s it! We’re ready to scope the Configuration Profile out to our managed Macs and kick off the encryption process! Once the Personal Recovery Key is sent back to Jamf Pro (if configured) we can see it in an individual Computer Inventory Record under the Inventory tab, and then under the Disk Encryption subheading. The Personal Recovery Key is hidden behind a “Show Key” button. If the “Record Number” Message was configured, the Device Recovery Key value will be set accordingly.