Preparing for FileVault enablement involves understanding the basics of how FileVault works with macOS user accounts and deciding on a recovery key type to use in your environment. If you choose to use an institutional recovery key, you will need to create and export it before deploying FileVault settings to target computers. If you choose to use a personal recovery key (also known as an "individual recovery key"), each computer will create its own unique key to be automatically escrowed by Jamf Pro during the enablement process.

When planning a workflow to automate FileVault enablement, make sure to consider the following:

  • Once a computer volume has completed the encryption process, it requires a FileVault enabled user to complete the boot process and be decrypted.

  • The first user account to authenticate to macOS after FileVault is enabled will become the first FileVault enabled user for that computer.

  • Only FileVault enabled user accounts can grant the FileVault enabled status to other user accounts.

Therefore, any provisioning workflow that creates a macOS user account to be used temporarily and then deleted may run the risk of deleting the only FileVault enabled user account on the computer. If this happens, the computer's encrypted disk cannot be unlocked either remotely or manually. Computers in this state must be wiped and reprovisioned.

In addition, Jamf does not recommend using the Jamf Pro management account as the first FileVault enabled user account on computers. In most cases, the end user's macOS account should be designated as the first FileVault enabled user account instead.