FileVault MDM payload settings for Apple devices
You can configure FileVault settings for Mac computers enrolled in a mobile device management (MDM) solution. Use the FileVault payloads to manage FileVault in macOS.
The FileVault payloads support the following. For more information, see Payload information.
Supported approval method: com.apple.MCX.FileVault2 requires user approval.
Supported payload identifiers: com.apple.MCX, com.apple.MCX.FileVault2, com.apple.security.FDERecoveryKeyEscrow
Supported operating systems and channels: macOS device, macOS user.
Supported enrolment types: Device Enrolment, Automated Device Enrolment.
Duplicates allowed: False — only one of each FileVault payload can be delivered to a device.
You can use the settings in the table below with the FileVault payloads.
com.apple.MCX payload settings:
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Allow FileVault from being turned on or turned off | Yes or no. | No | |||||||||
Prevent FileVault from being turned on or turned off | Yes or no. | No | |||||||||
Destroy FileVault key on standby | Prevents stashing the FileVault key across restarts. | No | |||||||||
com.apple.MCX.FileVault2 payload settings:
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Certificates payload | A Certificates payload can be selected from the list. | No | |||||||||
Defer | FileVault turns on the next time a user logs out. | No | |||||||||
Don’t ask at user logout | Prevents requests for turning on FileVault at user logout time | No | |||||||||
Login bypass attempts | The maximum number of times users can bypass turning on FileVault before being required to turn it on to log in. If the value is 0, the user is required to turn on FileVault the next time they attempt to log in. Setting this key to –1 disables the feature. | No | |||||||||
Enable | Enables FileVault. | Yes | |||||||||
Output path | The path to the location where the recovery key and computer information property list are stored. | No | |||||||||
Password | The password of the Open Directory user to be added to FileVault. Use the | No | |||||||||
Payload certificate UUID | The UUID of the payload within the same profile containing the asymmetric recovery key certificate payload. | No | |||||||||
Show recovery key | Prevents display of the personal recovery key to the user after FileVault is turned on. | No | |||||||||
Use keychain | If true and no certificate information is provided in this payload, the keychain created at /Library/Keychains/FileVaultMaster.keychain is used when the institutional recovery key is added. | No | |||||||||
Use recovery key | If true, creates a personal recovery key and displays it to the user. | No | |||||||||
User enters missing info | If true, enables a prompt for missing username or password fields. | No | |||||||||
Username | The username of the Open Directory user to be added to FileVault. | No | |||||||||
Turn on in Setup Assistant | Requires that FileVault be turned on in Setup Assistant. If set, all keys except show recovery key are ignored. | No | |||||||||
FDE Recovery Key Escrow payload settings:
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Device key | The text that’s included in help text if the user appears to have forgotten the password. Note: This key replaces the | No | |||||||||
Encrypt certificate payload UUID | The UUID of a payload within the same profile that contains the certificate that is used to encrypt the recovery key. The referenced payload must be of type | Yes | |||||||||
Location | The description of the location where the recovery key is escrowed. This text is inserted into the message the user sees when turning on FileVault. | Yes | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how various FileVault settings are applied to your devices and users, consult your MDM vendor’s documentation.