If other users have accounts on your Mac, you might see a message that each user must type in their password before they will be able to unlock the disk. If you want to change the recovery key used to encrypt your startup disk, turn off FileVault in Security & Privacy preferences. To enable encryption, you need to switch on something called FileVault, but why would you want to turn off FileVault? Crypt There's a project called Crypt that involves a login hook that checks whether encryption is enabled or not and then prompts the user to enable encryption. Not all languages and regions are serviced by AppleCare or iCloud, and not all. Crypt. Once FileVault is enabled on your Mac, all existing data will be encrypted. Choose Apple menu > System Preferences, then click Security & Privacy. It prompts users to enter # their Mac password, and uses this password to generate a # new FileVault key and escrow with the JSS. When the user tries powering on the Mac their login icon won't be there anymore and they won't be able to login to the Mac at all. Click the Security & Privacy panel. After upgrading OS X, open FileVault preferences and follow the onscreen instructions to upgrade FileVault. Yesterday I got a new 2017 MacBook, and was setting it up from scratch. To check the status of file vault within Terminal type the following: fdesetup status. This can take anywhere from 15 minutes to 3 hours depending on the amount of data on your Mac and the speed of your Mac. The credentials to unlock the drive are stored either in the iCloud or the user Account offering you a passphrase to decrypt/unlock the drive. This login screen is built-in at the EFI level or a special boot loader in computers with the T2 chip. When FileVault setup is complete and you restart your Mac, you will use your account password to unlock your disk and allow your Mac to finish starting up. I use a time based launchd script, but outset (a loginhook-like launchd script) might be better. At login the user gets a popup asking to enable FileVault, but nothing actually happens when clicking ok. What ever your reason, Apple provides data encryption on macOS and Apple calls it FileVault. It was terrible. FileVault doesn’t protect against poor passwords or leaving your computer unattended. Enabling FileVault via a Jamf Pro policy on a Mac with NO Secure Token holder does not work. If you don’t want to use iCloud FileVault recovery, you can create a local recovery key. Enable Filevault Encryption on Your Mac.FileVault is one of those Mac features that you know is there but are never really sure what it’s there for. Important: On macOS 10.13.2, you cannot select the management account on a computer as the enabled FileVault user. Select Security & … In the Patch and compliance tool, click All types > Scan. Click the FileVault tab. If you would like to change the Deferred Enabled user which is designated to enable FileVault, you would need to remove the deployed payload (If done via MDM) from the device. If you’re using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password. So you must enable it. Placeholders.enable(); This can take anywhere from 15 minutes to 3 hours depending on the amount of data on your Mac and the speed of your Mac. Terminal will report back with a message telling if you FileVault is on or off. FileVault 2 is available in OS X Lion or later. When enabling FileVault, carefully write down your recovery key somewhere, and be certain to make a copy of exactly what is shown. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk. But what if you the Mac is either not logged into a user account, or what if you need to identify Filevault usage remotely? If you have a server or other remotely accessed Mac, you can use a couple of approaches to encrypt the hard drive. For each user, click the Enable User button and enter the user's password. I'll verify everything once again when full public Apple documentation is available. Click the Lock button, then enter an administrator name and password. This means that they do not have the authority to decrypt the data you have encrypted using FileVault. If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. When you buy a MacOS computer for the first time, FileVault is switched off by default. I have a script that would lock the user out of Filevault, then force a shutdown. In the Patch and compliance tool, click All types > Scan. The reason was that somehow FileVault was not accepting his credentials even though the user was enabled under it. A new major macOS has been released so there is no escaping from checking what macOS Big Sur brings us in view of FileVault, SecureToken and Bootstrap! Ultimately, I found this issue because I'm unable to simply do a "sudo fdesetup enable" from Terminal. So you must enable it. But then no one can ever recover your data, not even you. Once the user is logged in, open Systems Preferences. To disable an existing account for FileVault, the computer must have macOS 10.13. If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Identifying Macs that are using FileVault is fairly easy in person for machines that have a logged in user account, all you have to do is check System Preferences to see if has been enabled or not. When you have done so, everything on your computer is encrypted. After upgrading to High Sierra, booting the system, began to ask me for two passwords, one for filevault and another for the session. To check the status of file vault within Terminal copy and paste: fdesetup status. RAID partitions or non-standard Boot Camp partitions on the startup drive might prevent OS X from installing a local. 25 Creating a Smart Group of Computers for Which a Specified User is Enabled for FileVault 26 Viewing FileVault Information for a Computer 26 Viewing FileVault Disk Encryption Information for a Computer 27 Viewing the FileVault Recovery Key for a Computer 28 Issuing a New FileVault Recovery Key 28 Requirements 28 Issuing a New FileVault Recovery Key to Computers. Not all languages and regions are serviced by AppleCare or iCloud, and not all AppleCare-serviced regions offer support in every language. If you set up your Mac for a language that AppleCare doesn't support, then turn on FileVault and store your key with Apple (OS X Mavericks only), your security questions and answers could be in a language that AppleCare doesn't support. When you use Jamf Now to set up FileVault, the recovery keys will be stored. While enabling and using FileVault disk encryption is highly recommended for security-conscious Mac users with modern hardware and SSD volumes, some users may decide they do not need to use FileVault for a variety of reasons, or perhaps they just want to disable it for another purpose. Click on the “Enable Users” button. If the enabled user is “Management Account”, and the computer is APFS enabled, FileVault is activated on a …