FileVault 2¶
You can use FileVault 2 to perform full XTS-AES 128 encryption on the contents of a volume. Removal of the FileVault payload does not disable FileVault.
A personal recovery user will normally be created unless the UseRecoveryKey key value is false.
An institutional recovery key will be created only if either there is certificate data available in the Certificate key value, a specific certificate payload is referenced, or the UseKeychain key value is set to true and a valid FileVaultMaster.keychain file was created.
In all cases, the certificate information must be set up properly for FileVault or it will be ignored and no institutional recovery key will be set up.
Contents
Summary¶
PayloadType: | com.apple.MCX.FileVault2 |
---|---|
Supervised Only: | |
N/A | |
macOS: | 10.9 |
macOS Deprecated: | |
10.12.6 | |
iOS: | N/A |
iOS Deprecated: | N/A |
Highlander: | N/A |
Keys¶
Enable¶
Enable FileVault 2
Set to ‘On’ to enable FileVault. Set to ‘Off’ to disable FileVault. This value is required.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | N/A | always | N/A | N/A | N/A | N/A |
Defer¶
Defer enabling until logout
Set to true to defer enabling FileVault until the designated user logs out. For details, see fdesetup(8). The person enabling FileVault must be either a local user or a mobile account user.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | N/A | N/A | N/A | N/A | N/A | N/A |
UserEntersMissingInfo¶
User enters username and password
Set to true for manual profile installs to prompt for missing user name or password fields.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | N/A | N/A | N/A | N/A | N/A | N/A |
UseRecoveryKey¶
Create a personal recovery key
Set to true to create a personal recovery key
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | True | N/A | N/A | N/A | N/A | N/A |
ShowRecoveryKey¶
Show the personal recovery key
Set to false to not display the personal recovery key to the user after FileVault is enabled
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | True | N/A | N/A | N/A | N/A | N/A |
OutputPath¶
Recovery key path
Path to the location where the recovery key and computer information plist will be stored.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Certificate¶
Certificate
DER-encoded certificate data if an institutional recovery key will be added.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
data | N/A | N/A | N/A | N/A | N/A | N/A |
PayloadCertificateUUID¶
Recovery Key Certificate Payload
UUID of the payload containing the asymmetric recovery key certificate payload.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Username¶
Username
User name of the Open Directory user that will be added to FileVault.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Password¶
Password
User password of the Open Directory user that will be added to FileVault. Use the UserEntersMissingInfo key if you want to prompt for this information.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
UseKeychain¶
Add institutional recovery key to keychain
If set to true and no certificate information is provided in this payload, the keychain already created at /Library/Keychains/FileVaultMaster.keychain will be used when the institutional recovery key is added.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | N/A | N/A | N/A | N/A | N/A | N/A |
DeferForceAtUserLoginMaxBypassAttempts¶
Maximum number of times FileVault can be skipped
When using the Defer option you can optionally set this key to the maximum number of times the user can bypass enabling FileVault before it will require that it be enabled before the user can log in. If set to 0, it will always prompt to enable FileVault until it is enabled, though it will allow you to bypass enabling it. Setting this key to –1 will disable this feature.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | N/A | N/A | N/A | N/A | 10.10.0 | N/A |