This article will discuss deploying FileVault 2 via a Configuration Profile to managed Macs with Jamf Pro using either an Individual Recovery Key, an Institutional Recovery Key, or both together.
Creating an Institutional Recovery Key
Skip this section if you do not plan to deploy an Institutional Recovery Key.
Jamf has excellent documentation on how the Institutional Recovery Key is created. In order to wind up with a key we can upload to Jamf Pro, use the directions in the section titled “Creating and Exporting an Institutional Recovery Key without the Private Key” to wind up with a .cer file.
Creating the Configuration Profile
Begin by creating a new Configuration Profile, name it whatever you’d like, and we can leave this as a Computer-Level profile.
If Using an Institutional Recovery Key:
Configure the Certificates payload
Name this certificate “Institutional Recovery Key” or something else that makes sense
Change “Select Certificate Option” to Upload
Choose the .cer file created in the previous section
The Certificates payload should now look like the screenshot to the right
Save the entire Configuration Profile before moving on - Edit it again to proceed
Configuring FileVault Settings
The FileVault settings are inside of the Security & Privacy payload. With this payload, however, comes General (including Gatekeeper), Firewall, and Privacy. Make sure there’s not already an existing Security & Privacy payload scoped to the same machines that is managing those settings as we don’t want duplicate payloads.
Check the box to “Require FileVault 2”
If using an Institutional Recovery Key, check the box to “Use institutional recovery key”
Change the “Certificate” dropdown menu to reflect the Certificate Name we configured previously
If using an Individual Recovery Key, check the box to “Create individual recovery key”
Optionally check the box to “Require user to unlock FileVault 2 after hibernation”
Enabling Escrow of the Personal Recovery Key
If this Profile will be used to encrypt machines running macOS 10.13 or later, and we want to store the Individual Recovery Key (referred to in this setting as a “Personal Recovery Key”) in Jamf Pro, then we need to check the box to “Enable Escrow Personal Recovery Key”
The Escrow Location Description message must be configured, and it can be as simple as something like “Your Recovery Key Will be Sent to IT for Safe-Keeping.”
“Record Number” Message is optional, but something like “Please Give IT This Number” would make sense here.
Leave Personal Recovery Key Encryption Method as “Automatically encrypt and decrypt recovery key”
The FileVault tab should now look like this if we're deploying both an Institutional and Individual Recovery Key:
Redirecting Individual Recovery Keys to macOS 10.12 and Earlier
The setting to Enable Escrow Personal Recovery Key is only applicable for macOS 10.13 and later. In order to redirect the Individual Recovery Key to Jamf Pro for macOS 10.12 or earlier, we need to use a completely separate payload. It is NOT possible to deploy BOTH redirection payloads to the same computer. This used to be acceptable, but no longer. Now if we were to deploy both redirection payloads to the same machine, FileVault will not enable.
Configure the FileVault Recovery Key Redirection payload
Change the Recovery Key Redirection dropdown to “Automatically redirect recovery keys to the Jamf Pro server”
A Final Note on the Certificates Payload
Depending on which settings we enabled for escrowing or redirecting the Individual Recovery Key, we may see additional entries in the Certificates payload. This is normal, and required.
If we enabled escrow in the Security & Privacy payload, there should be a certificate titled “JSS FileVault Recovery Key Escrow Certificate.”
If we enabled redirection with the FileVault Recovery Key Redirection payload, there should be a certificate titled “JSS FileVault Recovery Key Redirection Certificate”
That’s it! We’re ready to scope the Configuration Profile out to our managed Macs and kick off the encryption process! Once the Individual Recovery Key is sent back to Jamf Pro (if configured) we can see it in an individual Computer Inventory Record under the Management tab, and then under the FileVault 2 subheading.